Context
Users work on website A (SPA, Angular)
To get more info about specific entities they can be redirected to website B (website B is open in a new tab)
Both websites belong to different companies but there is a contract so that users of page A have access to page B
There is a redirect https://websiteA/redirect... that does a redirect to https://websiteB/... so that the user has an active session on websiteB
Problem / Question / Requirement
We would like to be informed on websiteA that the session on websiteB has been established, what possibilities do we have?!
Possibility A) Open websiteB in new tab
If we open the session-building redirect in a new tab it works and the cookies with session data are saved in the browser for websiteB. So the following requests to websiteB work, the user is logged in. Only problem, we have no info about those tabs in the js of websiteA and don't know if it worked.
window.open returns null. No chance to get for example an onLoad event of websiteB. Are there any headers the server of websiteB can set for websiteA to be able to get info about a success?
Possibility B) Ajax Request (Angular HttpClient)
If I do the session-building request with ajax, will that save cookies? A first test with a nodejs server shows me, that the httpClient follows the redirect to websiteB but when I open a tab on websiteB afterwards I see no saved cookies. Are there any headers the server of websiteB can set so that cookies are also set when it's an ajax request?
Any other possibilities you see how website A can know if the session has been established?
Related
I have an application that asks a user to login with Reddit. When they accept, it opens a new window (call it SpawnedWindow), Reddit asks them if they want to connect, and when they do, SpawnedWindow redirects to a GET endpoint on my server with the success/failure information. My server will do some computation to figure out if the auth was really successful, and if it is, it will send an "ok" (as a response to the GET request) to SpawnedWindow.
I want the original page to detect this "okay" and continue with user onboarding. How might I communicate this between the new window and the original window?
If you're familiar with "login with Google" buttons: as we know, there's a popup, and depending on the result of authentication, the main page will have dynamic behavior (based on the login being successful or not). This is essentially what I'm trying to achieve.
The API (and many APIs which have a similar authorization process) provides a redirect_uri that the user will be redirected to after authorization succeeds. You can pass a redirect_url query parameter that goes to a page on your site. This way, once authorization succeeds, the newly opened page (on your site, that Google has redirected the popup to) can communicate to the original page (on your site).
One way to do this is with a BroadcastChannel - open a channel on your original page, and wait for a message. On the new page, open the same channel and send a message, and the old page can listen for the message.
Another option would be to use Local Storage. On the original page, listen for storage change events. On the new page, change storage so as to fire the event.
So my app is (mostly) running. This is a corporate app, that our clients will 'install' on their own Facebook page(s), and make available for THEIR clients to run. During the connection process, I use the FB UID to determine their account on our system, connect that UID to the local account ID. I save that connection in our database, so that when the app is triggered from a Facebook account, I use that mapping to access the correct data.
First issue: I want to be able to detect that the app is being triggered from a Facebook page. I went into the App Settings page, and set up the "Page Tab" platform, with a secure URL. But when my app is added to a page tab, that URL is not invoked, but the Secure Canvas URL is invoked. Why? I assumed that was the point of having a Secure Page Tab URL for my app.
But if that doesn't work, is there a way to identify that my app was invoked from the Page Tab instead of some other way? Not as clean, but that would word as well.
I have used the Javascript API to login, and connect the App to a page. This is all working well.
This is answered in the Page Tab App documentation:
When a user selects your Page Tab, their browser will send a HTTP POST
request to your app's Secure Page Tab URL. This request will contain a
Signed Request in the signed_request parameter with fields you can use
to customise the content returned to the user.
If you're seeing the 'wrong' url triggered, make sure you're not accidentally redirecting, either upon receiving the initial POST request from the user's browser, or after using Facebook Login (e.g. if your redirect_uri when opening the dialog is accidentally sending all users to the same URL after login instead of back to where they triggered the flow from)
OK, so in building an x domain sso bit of logic we have reach an unknown.
To use JSONP or window.postMessage & MessageChannel (MessageChannel) for windows bastard child IE10.
The logic is (apparently fairly std). One master domain, 2 other domains (site2 and site3).
Logging into site1
user posts a form to master domain.
master domain, logs user into master and redirects back to site1.com/sso?token=uhytchvgjb
site1/sso decrypts token and logs user into site1
This logic works fine and makes sense. Now enter "in-context login". ie, js lightbox popup, login, convert page to logged in state.
The above 3 steps can be done in an iframe but then i would need to deploy the use of postMessage to alert the parent window of a successful login. However upon researching, postMessage is not ie friendly (shocker). So I would have to use MessageChannel, but then then seems like extra work for one annoying browser.
Is it possible to use jquery ajax and jsonp? ie, loggin into site1
user posts via ajax data to master domain
master domain authenticates details and logs in current user and returns in the response a token to the client.
the client on receipt of response passes token back to site.com sso check and returns a success to client
client then converts page to logged state or redirects to rel logged in page.
The above seems sensible and feasible. The question is, if the JSONP method was used, would the client be logged into the master domain or not?
Yes.
When JSONP request will be sent to secondary website, response may contain setcookie headers.
Session cookie can be set for secondary website this way. So, session may be started for it too. And logged-in flag can be set.
Using JavaScript I would like to automate the submission of data via a form POST to a website that requires a login. Using a browser, I am able to login to this site and create a session. On another tab of the same browser, I would like to open up a second tab on the same browser and load the page where my JavaScript resides and allow the JavaScript code to interact with the website session I created on the first tab so the data being posted is admitted as the session I am logged on from the first tab.
The purpose of this is to automate the posting of data to this website that requires login.
I have the JS that does my form POST automation. However the issue I am encountering is that the JS fails to post to the website because it does not seem to detect or use the session information from the previous tab and therefore thinks I am not logged in.
In short, how can I allow the Javascript http request running in one tab of my browser interact and take advantage of a session I have created with another website I have logged in in another tab of the same browser?
It turns out that i needed to add the withCredentials property to the xmlHttpRequest. Doing this allowed me to impersonate the cookies i already had set on the other tab.
I am facing a problem with a backend using cookies .
The UI technology is JSP and i have login to the application and performed some operations.
At that time i copied the url and opened a new tab and pasted the copied url
In this case i would like the user to be redirected to login page.
This is what i understood from your question :
Your webserver uses cookie to store user session info , you want the user to be redirected to login page when he copy pastes the link onto a new tab .
This is what happens when you do what u said u did :
When a user requests a url from a new tab with an established session in the previous tab , the cookie is sent along with this newtab request hence the webserver renders the page to this request since it is legitimate.
However , the same will not work if you fire the request using a different browser.[In this case the backend will redirect the user to login page (if you've identified the url is without cookie info and programmed a redirect to login page in your server code).]
I don't think this can be done using cookie based session handling .
Please do check this link How to differ sessions in browser-tabs?