I'm trying to integrate a public message board service into an existing web site.
The handshaking between the apps goes like this:
1) File on my web site loads a flash file. The Flash reads a local variable that is the Session ID, or some other GUID unique to the user session.
2) Flash app connects with the remote service, passing the SessionID to the service.
3) The service issues a GET request back to the originating web site, asking for additional information about the user.
4) The originating web site (my site) validates that the session ID is for a valid session, and if yes, passes back the other requested information.
I'd like to be able to use the intrinsic ASP SessionID but I'm not sure how in Classic ASP to retrieve session variables for a specific ASP Session, ie, I want the value of Session("FirstName") where SessionID=1234 and not Session("FirstName") for any other session ID. I haven't been able to find any syntax that would allow me to do this.
The alternative is to create a new GUID for every session, but that's adding a lot of overhead.
Any ideas?
I'm not aware of any way to retrieve Session details for a particular instance or ID.
However, you could utilise the Application object to store the information you need using the Session.SessionID value:
Application(Session.SessionID & tag) = myTagValue
This way you are not creating a new GUID, but utilising the already existing one for session that both client and server are using in your example.
Related
How can I implement this behavior in my website
I need to be logged inside my website to navigate through the website and if I open a new tab, I want to display the login page, also the user logged on the previous tab doesn't have to be logged on the new one.(treat all new tabs like independent session)
when the user is logged a security token is stored on my Session[token], if I open another tab, another user can be logged into the website with another token session.(this has to be don't in the same browser)
There are many ways to do that but each has some limitation. All ways required some short of custom development on client side and server side to manage the data.
Don't use cookie or traditional authentication mechanism as all has cookie per domain so it wan't help.
If you are using HTML5 then you can take advantage of sessionStorage and store different Id ( generate guid) and pass along with each request to identify. ( More secure you have to generate your own encrypted value)
For simple use you can use HiddenField on each tab and get value from Url.
If you are aware of ASP.net cookieless session then you can see that url has sessionid and you have to do something similar.
In MVC you can do such thing by creating custom route.
http://blog.gauffin.org/2012/02/get-a-unique-session-in-each-browser-tab/
We are using WSFederationAuthenticationModule in an ASP.NET MVC 5 application to authenticate users via Windows Azure ACS. We have tried multiple things to save some user specific data in the session after the authentication has succeeded but everytime we write to the session object we got the exception 'Session state is not available in this context'. Our favorite was the event System.IdentityModel.Services.FederatedAuthentication.WSFederationAuthenticationModule.SignedIn but of course at this time the session does not exist. Where is the recommended place to write initial data of an currently authenticated user into the session?
Have you considered using the ClaimsAuthenticationManager for this? The beauty of this is that you can access the current claims for the authenticated user (before your application code is executed), run whatever query you need to run, and then stuff new claims into the claimset of the principal. I've used this technique before for similar situations as you described.
If you really need to get access to the session data, then I think you want to look at the SessionSecurityTokenHandler class.
I'm building several Portlets to deploy on a WebSphere Portal Server, and each Portlet is deployed in it's own WAR. Now, I'm needing to track every Portlet a user visits while it's logged on the Portal. I was trying to get the Session Identifier from a Portlet using this:
HttpServletRequest servletRequest = PortletUtils.getHttpServletRequest(request);
String sessionId = servletRequest.getSession().getId();
But after I logged in, I'm getting different sessionId values from every Portlet/WAR I visited. I guess that makes sense since there's one Session Scope per WAR.
So, how do I get an identifier for the Portal Session (not the Portlet one)? I'm seeing that JSESSIONID cookie is the same in every HTTP Request, but I'm not sure if that's exposed through Servlet or Portlet API.
Users that are not logged into the portal don't have a session like that. You can have Portal keep track of session information for anonymous users by enabling public sessions.
http://www-10.lotus.com/ldd/portalwiki.nsf/xpDocViewer.xsp?lookupName=IBM+WebSphere+Portal+7+Product+Documentation#action=openDocument&res_title=Portal_configuration_services_wp7&content=pdcontent
Look under navigator service for the property to change.
Also, I think this might be more easily accomplished in the theme or a portlet filter. You should still be able to get access to the Portal session in either of these places but you won't need to include code in every portlet.
Here's a link for creating a global portlet filter.
http://wpcertification.blogspot.com/2010/11/applying-global-filter-to-all-portlets.html
UPDATE: Like any big framework there are lots of options. I'll offer a brain dump of what I can think of / find. You may have to experiment and see which method you prefer.
The JSESSIONID cookie should be same for a user throughout the whole session. If the session expires they'll get a new JSESSIONID cookie. Using this you'll be able to track a user through a single session but possibly not across multiple sessions.
You could consider using getUserPrinipal() or getRemoteUser() off of the PortletRequest object. I haven't used those method in a while so you'll have to see what info comes out of them.
There is also request.getAttribute(PortletRequest.USER_INFO). You'll have to do some config in the portlet.xml to make certain attributes available in the Map that returns. There is an example here. We're using ibm-primaryEmail instead of the first and last name like the example on my current project.
Lastly you could look into using the PUMA API thats built into Portal. It'll will be a bit heavier on the coding and is obviously more container specific but should be able to do just about any job you need related to users.
I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.
Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.
I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.
Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).
There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".
Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.
In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.
You could use the Membership.IsOnline property which is based on LastActivityDate:
A user is considered online if the
current date and time minus the
UserIsOnlineTimeWindow property value
is earlier than the LastActivityDate
for the user.
I'm having a lot of trouble finding information about securing remote functions on Coldfusion CFCs for AJAX calls. Lets say you're retrieving sensitive information for a user after the user logs in to the site via an AJAX call. You call something like this:
https://www.mySite.com/pathToCFC/MyCFC.cfc?method=getBankInfo&userID=2343
So this is obviously super insecure as anyone could call this from a browser and change userID to get different user's bank info.
I've read about using the roles attribute on the remote function and using cflogin to authenticate a user, but even with this in place, wouldn't you have to pass the userID like the above call? Wouldn't an authenticated user still be able to switch the userID to discover new user's bank info?
Don't pass the userid from the client. The userid and other sensitive data should be stored server-side. In fact, every bit of data passed from the client must be considered suspect, and validated.
So, if you're using cflogin, for instance, and you're on a single server, or a sticky-sessioned server, then store the userid and any other critical information in the session scope.
On each request, you fetch this data from the session, not from what the client provides.
This a good starting point on User Security in Coldfusion
Wait a second, if you have user X which has to request his details from the server, you don't need his ID, you have it in session, or if you use cflogin feature you'll have getUserAuth().
I you have administrator who can see other users details and you're worried about him seeing bank details you need roles, cf's roles or your custom solution etc.
In any case you don't need to send explicit call "gimme bank account details for user 3456"..