Session timeout kills "Remember Me" cookie in aspnet database - session

I'm trying to understand if this makes sense:
1. User logs in, checks "remember me" checkbox.
2. User logs out.
3. User comes back and is automatically logged in.
Basically, that's exactly what you'd expect to happen. This means it's working. Here's where it gets a little weird:
1. User logs in, checks "remember me" checkbox. (Or logs in using remember me.)
2. User is inactive for over 20 minutes, so the session times out.
3. User clicks a link and is sent to the sign in page.
4. User closes browser, then opens again. They are taken to the sign in page.
It would seem that "Remember Me" is turned off for this user when their session expires due to inactivity. I've tried to find something about this in the documentation, but to no avail. If this is expected behavior then that's cool, but I'd like to confirm.
We're using the Sitecore.Security.Authentication manager to set the cookie in the first place.

In my experience, the "remember me" function has never worked properly..
Seems to be a bug that has been there forever.
I usually just let my browser store the login information for Sitecore if it's too difficult to remember.

First of all, it is important to know that even the "remember-me" token has validation: the "cookie" expires after some time, and it is configurable, even though it has a default value. You need to check the default value.
Secondly, due to Single-Sign-Out, the "remember-me" cookie suppose to be removed after signing-out (just as #adam said in his comment). Remember me remembers the user across sessions, but not if he logged out. Think of it this way: if you have your Facebook or Google account, and you signed in after clicking the "remember-me". Then you log off, and come back again. You will be asked for your credentials again! (If it is not you who tries to log-in? do you want Facebook to remember you even after you have signed out?)
The practical use of remember me is this: you log-in to a web-site, then close your browser (without logging-out!), and by closing the browser you "lose" the session. When you reopen the browser, you get a new session. Then the remember-me comes into work: you will have access to the website without the need to enter credentials again.

Related

Laravel: difference between login with and without Remember Me option?

I have a question about the default Laravel Remember Me option below the login form. I use the default built-in LoginController.
When I read the Laravel documentation, then I read about the Remember option:
"which will keep the user authenticated indefinitely, or until they
manually logout"
Ok. Now I do a test:
I uncheck the Remember Me checkbox, and I login. Then I close the browser. I open my browser and goto my app: I am still logged-in.
Then I select the checkbox Remember Me, log in, close browser, open browser: exactly the same result: I am still logged-in....
How is that possible? What is the difference?
If you use remember me, Laravel puts cookie with token that is used to log you in next time you visit the page (in case you are somehow logged out I will explain later).
Laravel by default uses session that is valid for 2 hours (you can set this up in config), so if you close your browser while logged in and then attempt to open same browser again in window of 2 hours server will not notice the change.
"Log out somehow"
well obviously by clicking logout in application
clearing up browser cache by browser itself or by 3rd party program
using different browser (this is just for clarification)
using incognito mode (this is just for clarification)
using different computer and browser without sync feature (this is for clarification)
To answer your question "whats the difference?":
If you use remember me, Laravel will set cookie with token that is used instead of credentials (name:password combination) while logging in, and the process is invisible for user.
If you do not use remember me, you can be signed in only for 2 hours (or whatever is set in config file) without action. The fact that browser keeps session information even after its closed is considered as feature of the browser).

How can I close all (plone) sessions opened by a user except the current one?

Let's suppose I'd opened two or more user sessions on two or more devices (same user with not admin privileges).
At the current session, if I log out, it means all others sessions will also close? If not, is there a way to do this by an URL request?
something like this:
User call a method, ex: [plone-site]/close-all-sessions-except-this;
Results on: all user sessions, opened on the others devices are closed.
Would be better if this method were native in plone.
gmail has this feature. I think it's an important security and privacy issue.
Not really sure what you are asking, but if you want to automatically logout all authenticated users (not only one user) you can:
Go to ZMI
Enter inside acl_users
Select the session plugin
In the "Invalidate all session identifiers" section click the "Clear secrets" button.
As you can read there:
By clicking the button below you clear all secrets used to validate
sessions. This will immediately log out all users who use session
authentication and require them to log in again.
That's a nice feature request, would you mind opening an issue? AFAIK Plone doesn't include that by default.
When you log out of one session Plone will close all sessions for that browser AND site URL, because the session is stored in a cookie set to site's domain. However Plone won't log you out from other browsers/devices, nor in the edge case you're accessing the site by IP, if that's available.

ASP.NET MVC Web application, hosted with GoDaddy acting crazy with authentication

I have this website that I developed. It is acting weird. I logged onto it and now it seems that I can't logout of it. It has session which I don't know how it can still maintain after logging out and also in different browsers and even in incognito.
The weirdest thing is that if you open it in your browser you get same session state. You can't do anything with it. But it is jut there.
What is going on?
Go to this page, it shows some user logged in. click Add and it asks for credentials again. Like an endless loop.
http://krninstitute.com/krnitech/Forms
Then go to this page, it shows other user logged in. Go to the end of the page.
http://krninstitute.com/krnitech/Gallery
This question requires these external links.
But here are images just in case:
Edit 1:
What is causing every request to end up with session cookie? I don't have any cache implemented. Does it have something to do with recent GoDaddy crash?
Edit 2:
Questions are 1. how can you see who is logged in on the application? I haven't implemented such functionality. And 2. how there are two people logged on from same browser window?
Session and Authentication are two different things. When you use FormsAuthentication to login and logout, it does not change the session. You must abandon the session in addition to logging out to do that.
Session.Abandon();
Be aware that the session will still be there until the end of the request, so you should probably immediately redirect to a default page afterwards.

How can I get Webkit and IE browsers to prompt to save passwords for login through AJAX request?

I have an HTML page with a login form and a registration form inside of an overlay. When the user submits either of these forms, an AJAX request is made back to the server.
If the registration or login is successful, then the user is logged in and certain parts of the page are updated. If there is an issue with the login/registration credentials, then the user is asked to correct the error.
How do I get the browser to prompt the user to save or remember the username/password used for this scenario?
I was able to get Firefox to prompt the user and remember the password by following the answer here:
How can I get browser to prompt to save password?
But this solution did not work in webkit browsers or IE. Also, I tried adding the autocomplete attribute to the forms with value "on", but this also did not solve the problem.
Thanks in advance :)
I'm not sure if you are going to be able to find a solution to this that works across all browsers in a timely manner and if you do it may be very brittle and could break after any browser update.
A more reliable and robust way of doing this could be to do it with your own code by building this functionality into your UI. This would probably even save you some time in the long run. You could have a "remember me" checkbox or a "remember me" popup that comes up after a successful login.
If the user opts to be remembered just write an encrypted cookie with their username which if detected will allow them to bypass login. Assuming SSL I don't see this route as being much less secure than trying to force the browser to do it as the information will be stored un-encrypted on most users computers either way.

Firefox extension to log out user after the page has been closed

I am writing my first FireFox extension and I have some questions. Maybe someone can help.
I have a website which requires login. The sign-in is one user per login type. So if I am logged with the username "tom" from one PC and go to other PC and try to login with the same details, it fails. When I click the log-out button from my authenticated page, the new location executes a PHP function to log-out the user (updates the "logged" status of the user in MySQL). The problem is that if a user is logged in from his work desk and surfing the page then suddenly he gets a call by a friend to quickly grab lunch in his break and has to meet him in short time, he just clicks the X (close) button from Firefox, forgetting to press the log-out button so the status of the logged is still 1. Later on, if he wants to access the page again from home, he won't be able to log in.
So, I need to grab the "close" event from firefox somehow. I am thinking about looking for the ones that contain the "website.com" domain only. Then, if a tab is closed or the main window of Firefox is closed, send an unique key, and the username to that URL that logs out the user and the problem may be solved. I don't know if this is possible. Please post any idea (followed by code if you can) for this extension to be built.
Thank you.
By design, this is wrong.
If a user's PC crashes (harddisk failure, power failure) your plugin won't be able to log out the user. And so, the user won't be able to login on any PC.
--
Let's revisit the premise,
a. why does logging in from another PC need to fail?
b. How about invalidating the login from the previous PC (log out) when the user logs in to another PC. THis is kind of like how chat applications like Yahoo! Messenger work.
From your answers, here's what i would suggest: if the user is logged in on another PC, warn and present the user with options:
cancel logging in
forcibly log out the other user and proceed to logging in
Logging the user out after a certain time of inactivity is the (application or web) server's responsibility, not (only) the client-browser's. This is called a session timeout.
You might be able to avoid the timeout by a browser implementation as you describe it, but this should not be the primary solution.
Here's an off hand approach you might take:
In your case I would include a timestamp in the table where the 'locked' state is stored. Every time a user does an action that timestamp is updated. When you try to login again ad the timestamp is older that a certain threshold (e.g. 15min) your login code should silently logout the previous user.
In order to receive a notice about the tab being closed, you'll want to do something like this sample code. However, instead of listening for load, you'll want to listen for unload.
When you do end up getting notified about unload, you'll have to do a request to the logout page just like the web application does. You can figure out what the location of the document that is unloading is by checking aEvent.originalTarget.location.href. Note that aEvent.originalTarget will give you the document object of the tab that is closing. You'll then want to use an XLMHttpRequest for this in your event handler.
You could use ajax that would ping a page on the site - all the session info will be passed and you can verify that the user still has an active browser/page open. If Firefox crashes it won't be able to ping the website anymore and the session could time-out after 15 minutes. I think that allowing a forced logout on another sign-in would be best. Usually when I leave work at the end of the day I wouldn't close all the programs or logout or anything - just lock my computer to prevent anyone from using it. Next morning I come back with all my programs still running so I can continue where I left off.
BTW, Yahoo Web messenger probably uses some form of session-based cookies. That is, cookies are stored in memory and are gone when the tab or browser are closed.
Just enable to the user to re-login from another machine. And if you get a request from the user on first machine, ask him to re-login too. So you get a single logged in user at a time.

Resources