I use Spring Security 3 in my JSF2 webapp.
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.
But I have 2 problems:
(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).
(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.
How can I solve both of these problems?
Thank you in advance.
You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.
Related
i want to ask below question related about session. there is a test about my web and got below result about session.
detect the improper session handling by impersonate the user by submitting the token to the web server for any sensitive transactions. To handle sessions properly, ensure that application code creates, maintains, and destroys session tokens properly over the life-cycle of a user’s session.
i try to googling but still can't figure it out. for the login i just using login code from laravel auth itself.
anyone know how to solve this? and how to test improper session? is it mean i should allow, only a user can login at the same time?
thank you
After loggin in OneDrive through a web application as explained here (http://msdn.microsoft.com/en-us/library/dn659751.aspx), I can see that a session (WL.getSession()) is obtained correctly. However, if I make a refresh on the page, it is getting lost. I guess this is due to some cookies management. Is it possible to have the session not cleared at refresh?
Thanks,
Stanislav
Typically, you should call WL.login or otherwise check login status first (see WL.getloginStatus). These will return a session object if the user is logged in and has consented, so on refresh your session object should not be null unless they have logged out and you need to sign them in again. You may be "losing" the session depending on when you are calling WL.getSession()
Check out the interactive SDK sample on signing users in
I can redirect a user to home page upon session logout.. this was very simple. However, if an user had logged into the app and had the page open, even on session time out, he is able to perform all the functions(this is bad).
The redirect does not happen until the page is refreshed, or submitted to the server... there are some update functions that could be done by the user even if he is not currently logged in... I have done a lot of research but unable to fix this solution. I also found this thread but it seems to have no proper answer:
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
For example, most of the banking sites log you out after a time out.. they do not wait until you come back and then submit a request before you are redirected to home page.
HTTP is stateless. To achieve some form of state the server can maintain a session for each user by giving them a session id on their first request. The user would have to resend that session id on each future request to identify that the other requests happen within the same session.
Because the session is maintained by the server, there is no way to notify the client that the session has timed out.
Instead, if the user makes a new request when the session is timed out, their session ID is no longer good and therefore you can take a particular action like redirect them to login page.
Assuming nothing works out. You may want to consider below mentioned approches:
Approach 1:
Create a cookie on browser and have encrypted timestamp in it that will contain last visited/request timestamp from browser, for each request first get get this cookie value and compare with the pre-defined session out time, if session-out time reached then redirect user to error page else serve the request. On logout delete the cookie.
Why encrypted value for timestamp: if somehow user gets to know about cookie used for session timeout then (s)he can change this value in browser and keep on sending this request.
Approach 2:
You can also achieve this by making an entry in your database for every logged-in user and updating timestamp in this database for each request. For each incoming request get this timestamp from database and compare it with pre-defined value for timeout and handle accordingly. On logout delete the entry.
In both the approaches explicitly perform response.redirect("errorPageUrl");
I'm using Spring MVC for a personal webpage with a local Tomcat 6 server. I'm using a default Tomcat configuration(what eclipse would setup by default).
In my controllers(using one controller for each page, and creating Session beans to pass information between them) I have two methods, one for capturing a POST and one for capturing a GET Request Method. The page logic will have the user click a submit button and will use a "redirect:abc.htm" return to send them to a new page or back to the GET method.
I'm not explicitly handling cookies, but do have all the information in Session Beans and am using Spring Security to handle security/user management.
I have a spring security configuration to redirect the user back to the login page if they are not authorized. I also have an ExceptionHandler catching HttpSessionRequiredException, though this is not what is triggering when I expire the user sessions(it's using the logic of my Spring Security configuration).
When the session is expired(I'm doing this through Tomcat manager) the user is redirected back to the login page. They are redirected after they try to do something(click a submit, or revisit any page except login.htm).
My issue is that once they get back to the initial page that their session expired at, if at the time of expiration they clicked a submit button, it is redirecting them past the initial page and handling the POST event from the submit.
Example:
User is logged in, and on the main page
User Session Expires
User, on the main page, click a submit button
User is redirected back to the login.htm page
User logs in and navigates back to the main page.
Instead of following the logic of the GET for the main page, they are treated to the POST of the main page, and I'm not sure where the POST variables are coming from.
Is there any way to trace where this error is coming from or what exactly is causing it?
This is done by spring-security. Spring security stores the request details in the session before redirecting the user to the login page. On successful login it will retrieve the request details from the session and redirect to that.
You can set the always-use-default-target attribute of the form-login configuration to override this behavior.
How do websites generally log users out and send them to the log in screen automatically when a user's session expires? Is this done through ajax or running async handlers? Can you give me a bit of an explanation.
Banks and such use a client-side timeout via javascript, or something similar. Really, though, the server handles the actual session, so if you disabled the client-side logic it would act as if you were attempting to make transactions while logged out.
Use a cookie as well as a session.
Cookie must be set when a session is
started.
If the cookie is present but the
session is gone, redirect to the
login screen.
If there is no session and no cookie
do nothing
(pardon me if you can't do that because I never used ASP and basing my answer on my PHP knowledge)
Typically, you set an expiration timestamp on your session ID cookie. When the cookie fails to be sent, the client is logged off (no given session ID).
This method is often combined with JavaScript and another timestamp token. When the timers start running down, a notification is sent that allows the user to "refresh" their session... essentially, making a request before the session timestamp expires.
The "refresh" request could be anything, even something as simple as an image load.
If you are using Tomcat you can use its built in <security-constraint> mechanism within your web.xml definition. All of the timing, login screen, and page redirects are handled by Tomcat with little effort on your part other than definitions.
Oh, IIS... nevermind.