We have a CI application where we used Ion-Auth as Authentication Library. We have used database for storing sessions.
So far everything works fine. Now, by default Ion Auth allows simultaneous logins for same user from different location. I want to prevent this. As per our client, only one login should be allowed.
Is it possible to achieve this, considering abandoned sessions (without pressing logout and closing browser) ?
If the issue in (1) above is complex to achieve, can I make a simple check if user is currently logged in./session is active.
The existing logged_in method does not take any input parameters. So I cant use this method.
I am assuming solution might be possible with already available library and I don't need to add extra fields/code to achieve this.
Thanks.
Related
Literally, I do not know what module is to get values from http, https.
I'm trying to bring tracking numbers from kind of BANC, UPS, FedEx...
My purpose is this reference specific values from other site and bring back to Netsuite.
1 What modules do I use for that?
2 If there is a login session, is it possible to access using suitescript?
your answer will be great help to me.
Accessing that information is usually done via API with credentials rather than a login session. For that you normally use N/https.
I am developing a web system in php using the laravel framework, I arrived at the part of authentication of users, where it is not allowed the type of user x access to page y. What is the best way to do this with laravel? I thought about creating a session and saving the id of the user, so every time he accesses a certain controller I check if he has access to the id or not. so I had some doubts.
Is this a good way to perform this authentication?
Is this really safe?
is there any way for the client to change my session?
What would be a better method for authenticating user access?
Laravel provides a very good authentication system out of the box. Even though Hacking is inevitable it provides very good protection and since Laravel is pretty popular framework you don't have to worry about the security part. if there is any security bug, patches will be available almost immediately.
And your second concern can a client can change the session ? the answer is NO, if you code it properly. session resides in the server unlike cookies, so there is no direct way for a user to change the session. if you follow good coding practices you are good to go.
And how do you limit userA from accessing pageB. This is a pretty common feature needed in almost all the applications. As of now Laravel does not provide an out of the box solution for this. but this is pretty simple, you can add a role column to the users table, and check whether user have appropriate permission in each page. Laravel keeps the user object in the session, and it is avilable via the auth() helper or Auth Facade. if you want a little sophisticated solution there is a package out there [entrust][1]. it seems a good choice.
You may want to read about
Authorization
Csrf Protection
Authentication
I hope I have addressed all your concerns
Laravel provides a simple way to authorize action thats purpose built for what you need:
https://laravel.com/docs/5.5/authorization
I'm writing an app that's supposed to run with MVC5 and using parse as a backend.
I'm using the new Identity feature of the MVC5 to login an user. I also tried to use this solution but I couldn't make it work.
What is happening is that when I login with the user A and then login with the user B in a different session (a incognito windows or a new browser) whenever I try to insert something related with a ParseUser object using the first user that was logged in I get an exception: UserCannotBeAlteredWithoutSessionError.
I'm not sure if I'm doing the implementation in a wrong way, or if it is a limitation of the Parse (I think it was designed to run using one user per device).
If you have a workaround for this situation please help me.
There is a good answer which may help: Parse Database Authorization - Security For User Objects.
So, it's a kind of Parse SDK limitation, when you can work with only one user per device (as ParseUser is cached locally). The only workaround that I can see is to perform SignOut/Login explicitly, when you need to do something from other user's context. There is no way to have two users work simultaneously from the same device.
I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.
This is a follow-up question to Is Forms Authentication as described in the Nancy docs susceptible to session hijacking?
I understand now how Nancy Form Authentication works and also the idea behind it, thanks to Steven Robbins' answer.
However, for my application that approach is not sufficient. It must not be possible to gain eternal access for an attacker if he manages to steal the auth cookie once. Thus, I'm currently investigating possibilities to switch to a session-based approach to authentication, so I can invalidate sessions when the user logs out and also after a fixed amount of time.
Nice thing about Nancy, such things can be customized!
My question is, does it make sense to reuse Nancy.FormsAuthentication for that purpose? One solution I have in mind is making the user identifier only temporarily valid. That way I would delete the GUID identifier from the user database when the user logs out, and create a new one everytime a user logs in.
I'm asking because the docs state:
It is also important to know that the identifier should be treated as
permanent for the user that it was generated for and will be reused
across requests and application sessions.
Are there any unwanted side-effects when I ignore that and make the identifier non-permanent?
Yes and no.
If you change it each time the user logs in then you are effectively logging the user out.
You could create a Session / Identity table which allows the same user to login multiple times (assuming that the browser is different) which would allow you to manage the timeout / extending the timeout on each authentication.
That would require no changes to the Forms Auth, you would simply change the IUserMapper to authenticate against your Session / Identity table rather than the user directly.
(hope all that makes sense)