I developed an ASP.Net website with cookie authentication.
After reading about CSRF attacks I decided to change my website to work with token authentication which will be saved in the client side.
So what I have done is:
used logins
user receives a token and saves it in the sessionStorage
user sends the token in the header of each API requests.
This works great.
Now the one thing that is missing for me is the page loads, meaning if a user tries to access a page before he is logged-in it should redirect him to the login page. This is something I want to do obviously before the page is loaded, for example before i had this code in the Site.Master:
if (!AuthCookieValidator.IsValid(HttpContext.Current))
{
s_Logger.Info("the user is not authenticated, logging out!");
Response.Redirect("/Login");
}
But now I can't implement this logic unless i keep both session based token + client side token.
What's the solution here?
So my solution is like so:
User logins
User receives a token and saves it in the sessionStorage
User sends the token in the header of each API requests.
If the user tries to reach a url directly, before the react code starts to render the page it will send an authentication check request with the token and render accordingly.
Any comments are appreciated about my approach
Related
The Thing i want to do is , We have a user who is logged in a device .We have to restrict that user to login from other device.
To Login into Other device he should have to log out from the first device.
I have tried to create authentication token via web API.
Every time a user login ,a new oath token is generally passed in the request headers. (Token would be expire on logout.)
If Same User try to login from other device a new Oath token would be generated
is there anyway to check if a token is already assigned to that user then do not allow him to login
What if,
1.user close the working tab or browser
2.or He navigate to other web page by changing the URL
Are there other solutions to ensure one concurrent login per user ?
This should be simple enough to make sure a user have only one login at a time.
Steps to do would be (ASP.NET/ASP.NET MVC):
Step 1: As soon as user login, check if session for this user already exists.
Step 2: If Session already exists, delete the on going session (Here you can also prompt a message to user if he wants to stop currently going session and start a new one.)
Step 3: On User's action you may delete current session and start a new session for the user.
Step 4: If there is no current session going on, you can simply create a new one .
Update:
For ASP.NET WEB API
Here you have to use Authentication token.
On login you can provide authentication token to user.
On Relogin you can check if token is already issued for this user, and accordingly perform your action.
Hope this helps. Let me know if you have queries.
I assume you know how to code above, if not let me know.
I have created a SAML library in my app that creates an authentication request and is successfully logged in, but when it sends a LogoutRequest, the response shows:
"samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"
This should mean that the session has ended successfully at the Idp correct? I provide the session ID and the username of the logged in user in the logout request the same way as successfully specified in the auth request. However, when I attempt another login request, I am not prompted for credentials as though the session is still active. What would cause this? I do not have access to the Idp's ADFS server to view the logs and they are taking a long time to respond with them. Could I be missing something and still get a success message when it really wasn't a successful logout?
I have this code:
Response.Cache.SetExpires(DateTime.Now.AddMinutes(60));
Response.Cache.SetCacheability(HttpCacheability.Public);
I'm trying to cache the entire page on client's browser and any other proxy in between client browser and my servers.
It's all working well until one user logins. After this action all users have in the header the user name and a logout button.
How can I solve this issue?
I think I have 2 options:
Cache the entire page without user info on the header. Then, make a async request to get user's information
Write a cookie every time the user logins and control CDN cache with this cookie (just cache if there is no cookie https://docs.fastly.com/guides/caching/how-do-i-use-a-cookie-as-a-cache-key)
Is there any other solution?
Make use of ESI feature in Akamai.
I have a Login.aspx page where I use Forms Authentication to login to the site. I use a cookie to store the additional user data and in the next page I use Asynchronous web-api calls to get some data. In the process I read the cookie and the user data. If the user data is found I proceed and if not I want to logout the user and redirect them to login page. I have the following code but the execution of the web-api call continues.
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
HttpContext.Current.Response.End();
How do I make the user log out and redirect to login page when I know that the cookie is not found?
You should check for the cookie before you make the Web API calls.
If the cookie exists and is valid, call the service.
If the cookie doesn't, redirect to the login page.
In your API, check for the cookie in the call. If the cookie does not exist, return a 401 unauthorized response code in your web api response.
I want to use the domain: aaaa.com to have a login form for the site at domain: cccc.com.
Note, I have full control of the server at cccc.com and have setup CORS on the server at cccc.com. I essentially have full control of the server at aaaa.com as well.
I am using jquery's $.ajax to send a POST to the cccc.com asp.net mvc 3 server. It looks like I get the right response back and I see the ASP.NET_SessionId and .ASPXAUTH cookies in the response. When I get the correct response in javascript with no login errors, I want to redirect to cccc.com/Home/Index using window.location. Everything seems to be working up to this point. Authentication, getting a correct response, etc. However when javascript redirects, cccc.com still wants me to login again. Why is this happening?
Is it because the authentication cookies belong to aaa.com? How can I work around this?
Thanks
Yes, the authentication cookies will belong to the other site, and are not shared.
If you had a subdomain of cccc.com instead of a completely separate domain, it would work if you set a domain-wide cookie.
As it is though, you will have to copy the cookie upon login, logout, and any other authentication methods that modify how the cookie is stored. If you're on a different server, you would also lose your ability to do sessions unless you have a session state server.
You could try copying the auth cookies with javascript after your POST to log in completes.