User logged in as wrong user - asp.net-mvc-3

I am using MVC3 along with Autofac & EF4.1 to build an secure web app deployed on two servers.
A very few users are experiencing a strange issue where user is logged into system as wrong user with different account/branch settings.
I am authentication user using form authentication(.ASPXAUTH cookie) and roles are decided from active directory contents. user being logged in is assigned an unique token which flows during all transaction.
Could this be related to Autofac or authentication cookie is cached somewhere?

Are you users using shared computers?
If so, then I suspect that the cookie is to blame.
If not, then context information somewhere else in the application is to blame.

it was actually a static image file having set-cookie inside which was causing the trouble.

Related

Multi Tenant session management using multiple domains

I am trying to implement a feature similar to Slack where my application is a multi-tenant app, and a user can be logged into multiple accounts. Each account will be tied to a different domain. If logged into 2 different accounts, the user should be able to switch back and forth between the accounts. Also, the sessions should be managed independently. If one session expires, and the user needs to login, that expired session should not affect the other active sessions.
View Slack Image
The issue I am seeing is the different domain sessions override each other. This is a react frontend with Okta
Thanks for your time.
There are some gaps which require details, but here are few pointers that might help you.
Post authentication, you should be storing the authentication information like the session expiry, username in some form (local / session storage)
If I login to your application and choose a domain like (acme.com), the session information should be stored in a key like acme.com or hash(acme.com) so that how much ever domains, I login into, there will be unique keys to identify sessions and there will be no conflict of keys.
Once the domains are changed (like you switch workspaces in slack) there will be a new login session established (first time), which sets up the session information like described above.
For every workspace / domain change, the authentication libraries would be called and they would validate the stored session information, which gives the right data and expiry and user gets to use the application without issues.
Do share your implementation details or any issues had you implemented this solution.

spring mvc only one user login per browser

I am developing spring MVC application, in my project, i have login page where I can successfully log in, the problem is that if I open new tab and log in with different username it's logging in, means at a time in the same browser I am able to login in multiple users which I don't want ,I want my application to single user login per browser how to make it.
While rendering login page, you check authentication. If you are using Spring security, you can check for principal auth present or not. If auth is present render home page else render login page. I think this can solve your issue neatly.
I suppose that Spring Security session management is what you're looking for:
Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
times. Many ISVs take advantage of this to enforce licensing, whilst
network administrators like this feature because it helps prevent
people from sharing login names. You can, for example, stop user
“Batman” from logging onto the web application from two different
sessions. You can either expire their previous login or you can report
an error when they try to log in again, preventing the second login.
For more information, read the following docs:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/session-mgmt.html
Control the Session with Spring Security

Spring Security asks authenticated user to log in again and again

I am using Spring Security 3.0.2 on a web site where users can log into their account. The account landing page has a button that takes you to a second page. Various users report that they have trouble getting to that second page because they are asked to log in again and again when they press the button. I cannot reproduce the problem myself, and it seems to work for most people. However, enough people have complained about the issue that I take them seriously. What could be the cause for such a spurious malfunction?
I see some possible cases maybe some of them would produce a 403 and not a redirect :
the second page is protected by a intercept-url with a list of role and some user doesn't have the required role. Maybe your account has some "admin" role which allow you to access any page that why you can not reproduce it
same problem but whith method #Secured with role that some users doesn't have
maybe these user aren't accepting cookie
maybe you have multiple domain the cookie is created for the domain www.domain.com then the user is redirected to another domain like www1.domain.com where the cookie doesn't apply.
maybe you have some kind of miss configuration in the load balancing the session is created on the 1st server, then the 2nd page is handled by the 2nd server where the session doesn't exists
maybe somewhere in the code you call session.invalidate()
hope it helps

Session variables not saving

I have MVC application which uses Forms authentication. For some reason any session variable that I declare are not saving whenever the user is not logged in. My application needs to support both authenticated and unauthenticated users. The applications works fine when ran locally. The issue only occurs on our remote server. We're using appfabric for session state. I'm trying trouble shoot the issue but I don't know where to start. Any advice would be welcomed!
Edit-when I change the value for httpCookies domain = "future.domain.com" to httpCookies domain="" it works fine. I was told by our admins that we need this setting to not change.

Logging out a user's other sessions in ASP.NET MVC3 with Forms Authentication

I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.
Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.
I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.
Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).
There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".
Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.
In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.
You could use the Membership.IsOnline property which is based on LastActivityDate:
A user is considered online if the
current date and time minus the
UserIsOnlineTimeWindow property value
is earlier than the LastActivityDate
for the user.

Resources