Wicket invalidate session & login on same event - session

When I try to log in while I'm already logged in, wicket gives me a LoginException; Additional Logins are not allowed. This makes sense of course.
What I want to do, is invalidate the session if there is already a user logged in, and log in in the same event.
if (((AuthenticatedWebSession) getSession()).isUserAuthenticated()) {
((AuthenticatedWebSession) getSession()).invalidateNow();
}
((AuthenticatedWebSession) getSession()).login(secureLoginContext);
It seems invalidateNow is completed after the onSubmit event, because Wicket still gives me the same LoginException.
Any ideas how to make this work?

Why do you want to log in again? Are you trying to log in with different credentials?
I have once written a panel where a user (already logged in) could log in as another user if he had sufficient rights. I ran into a similar problem and fixed it by forcing wicket to make a new session with ThreadContext.setSession(null).
So you code would become:
if (((AuthenticatedWebSession) getSession()).isUserAuthenticated()) {
((AuthenticatedWebSession) getSession()).invalidateNow();
ThreadContext.setSession(null);
}
((AuthenticatedWebSession) getSession()).login(secureLoginContext);

Related

Why cypress loads login page again instead of home page?

I wrote a cypress script to log in to the application ( enter the user id, password and click the log-in button), and expecting to load the home page. Cypress enters the user id, password and clicks the button but, loads the login page again instead of the home page.
Below is my script to login:
`
cy.visit('https://digitalxq1.com/sis/basic?accountNumber=123456');
cy.enterText(txtUserID, userid);
cy.enterText(txtPwd, 121212);
cy.clickElement(btnPwd);
Has anyone faced a similar issue? And, Does anyone knows the solution? Please assist.
The nature of the application forced me to log in first without account no- " cy.visit('https://digitalxq1.com/sis/basic'" and reload the app with account number after that - "cy.visit('https://digitalxq1.com/sis/basic?accountNumber=123456')" ).
I made mistake of doing the refresh immediately after clicking on login button as below:
cy.visit('https://digitalxq1.com/sis/basic');
cy.enterText(txtUserID, userid);
cy.enterText(txtPwd, 121212);
cy.clickElement(btnPwd);
cy.visit('https://digitalxq1.com/sis/basic?accountNumber=123456'
Somehow cypress unable to respond to the refresh and loaded the login page again. As a solution, I did validate whether the app is loaded or not after clicking login button. Then proceeded with refresh as below:
cy.visit('https://digitalxq1.com/sis/basic');
cy.enterText(txtUserID, userid);
cy.enterText(txtPwd, 121212);
cy.clickElement(btnPwd);
cy.get(#testElement). should('have.length',2);
cy.visit('https://digitalxq1.com/sis/basic?accountNumber=123456'
This approach resolved my issue.
Try this cy.reload(); this will work.
If you want to reload the page with cache then try this cy.reload(true)

Reset Password Link Joomla - While in "maintenance mode" / offline mode

How do users reset passwords while in "off-line" mode.
We are running the site as Intranet.
Joomla 2.5.4
Mhm.. this is quite long to do, but maybe you can work it out.
Grant your user level offline access (you can do that in Global configuration -> Permissions)
Create a menu entry that point to the user profile and set visible to your users
Set every menu/modules etc etc invisible to "normal" users (except the previous one)
I've never tried it before, but it should work.
I just wanted to share my solution for Joomla 3.9:
In the file "offline.php" of your template (or in /templates/system if the template has no offline.php) you can place this code before where the login form is displayed:
if( JRequest::getVar('option') == 'com_users') {
?><jdoc:include type="message"/><?php
$registrationController = new UsersController();
$registrationController->display();
} else {
// Login Form
}
so it displays the dialogs to reset the password if the page is loaded by using "index.php?option=com_users&task=request.reset" or similar, but shows the "offline" login form by default.

mvc3 detect website (application) is closing

I'm building a website with mvc3 and I need to delete a data in my database only when the application is closing. (The user click on the red x).
I tried with javascript using the onbeforeunload event, but this event happens everytime I go into a new page in my application.
Is it possible to detect when the user closes the window?
It's not possible. But, what you can do is have a small javascript block that will make an ajax call every n minutes/seconds to tell the server that the user still has the browser open.
This way, you can set a timeout that says if after 5 minutes we haven't heard from the user we can delete the data in the database (or whatever action you need to do).
To implement the timeout logic there are 2 options:
You have a separate service (console app or windows service) running on some interval that checks if any user's timeout is greater than some value. If it is then perform whatever action you need.
If any user performs an action that would have been blocked, you first check if any user still has it active (the timeout value is greater than current time). If there is, you block the user, if there isn't, you can remove that old timeout value since it's expired.
Use a synchronous ajax request in the window.unload event.
When the user goes to a different page, or closes, or refreshes then this event will fire. You could call a service on your web app to notify it that the user is no longer editing the document
After a very quick google, I saw this snippet here
$(window).unload(function() {
$.ajax({
url: 'resetTheDocument?id=whatever',
async: false,
cache: false,
type: "POST",
data: "My work here is done"
});
});
Good morning you could try adding your logic to the global.asax file in the Session_End method to delete the record in your database.

Issue- Relating To ActiveDirectory Group

We have an MVC ASP.NET Application. A Person can see a View, if they are in one of the Active Directory Groups. We have only one box for hosting our Database and Application(code)
Our Problem:
A person does not exist in any one of The ADGroups, but he is Administrator on the box.
For Some Reason, he is authenticated with the View.. He is not supposed to be authenticated.
Do not know why its happening.
I know this is unique problem, Does anyone had similar issue?
This is the code we are using for authenticating a user
if (LoginHelper.IsUserMemberOfRoles(LoginHelper.GetLoggedInUser(), new List<string> { GroupEnum.OurADGroupName.ToString()}))
{
//authenticated
}
else
{
//Redirect to not authorised View
}
My Understanding:
As the Person is Admin on the Box, does this override all ADGroupName Permissions.
It sounds very silly but I thing, this is one possibilty?
He surely must be an admin or in a group in Active Directory

If I Rapidly Click the Browser Back Button Twice, The User is Logged Out in Our Cake App

This is a weird bug, and I'm not even sure how to begin figuring out what's going on.
We are using Cake 1.3.8 with our sessions in the database. I am not using ACL or any other access control. If we navigate into the application and click around a bit, and then rapidly click the browser back button twice (I've tried in Firefox and Chrome) the user is logged out more often than not and receives the error message 'You are not authorized to access that location'.
All of my searches thus far have involved people wanting to make the page inaccessible if a user logged out and then used the back button. I'm not seeing anything reported with regards to the issue I'm seeing.
Does anybody know if this is a Cake issue or have any thoughts on debugging what is going wrong?
Update: I found where the problem is. I have the security set to high, because we need the session to be closed whenever somebody closes the browser. I also have the timeout set very high because we do large binary uploads to S3, and don't want the user logged out while it's uploading or downloading. The specific block of code in cake_sessions.php that's causing the problem is:
$time = $this->read('Config.time');
$this->write('Config.time', $this->sessionTime);
if (Configure::read('Security.level') === 'high') {
$check = $this->read('Config.timeout');
$check -= 1;
$this->write('Config.timeout', $check);
if (time() > ($time - (Security::inactiveMins() * Configure::read('Session.timeout')) + 2) || $check < 1) {
$this->renew();
$this->write('Config.timeout', 10);
}
}
$this->valid = true;
I would guess this is because session IDs are regenerated between requests when security = high. Source:
http://book.cakephp.org/compare/44/CakePHP-Core-Configuration-Variables/cakephp/cakephp1x
You only need one out of sync request, say for a missing image and you will lose the session. I've generally found it unworkable because it's not possible to prevent users double-clicking on links and buttons and invalidating their session.
I would think about using medium security, setting the session timeout fairly short and using an AJAX script to refresh the session at regular intervals (eg every 60s). That way the user will be logged out quickly if the tab/window is closed.
If security is a priority I would suggest hacking the core to make sure the session cookies are set to http_only to help guard against session hijacking by XSS attacks. Cakephp 1.x supports PHP4 so probably isn't setting this by default.
http://php.net/manual/en/function.setcookie.php
It's possible that the session is erased and before it can be written again, the back button is clicked removing the auth from the session variables.
Page loads -> Back Button Clicks -> sessions is erased (but before session is rewritten) -> Back button clicks -> Session checks no existing session.
The only thing that I can think is happening is that when you're going back a page too quickly your code can't validate the person quickly enough (round trip from checking credentials) and throws an error that gets displayed on the next page that is loaded (second backed-to page).
Are you sure the person is actually logged out, or is it just the error being thrown?
Without seeing any code, it will be difficult to nail it down any further.

Resources