I have a webpage that asks for a username and password. The problem is, it only asks the first time. After that, it bypasses that. This is an alert with a username and password place. How do I disable this saving feature so that it prompts every time the page loads.
It should be noted that the desired functionality goes against the way in which HTTP basic authentication was designed to be implemented.
However there are a few ways in which you could automatically "log out" the user so that the next time the page is visited, the authentication dialog box will appear again, prompting the user for the username and password.
One way to accomplish this requirement would be with a JavaScript solution, checking if the user has been idle for a certain amount of time, and if so log out the user.
There are a number of solutions listed here, including a Javascript based solution:
HTTP authentication logout via PHP
Related
I have a problem and after some research online was unable to find other people with this same issue.
I'm designing a site that has sensitive data the user's work with in the page content. It uses CodeIgniter as well as CodeIgniter's session and cookie implementations to track user activity and determine when a session has expired. when sessions expire, the user has to log in again either through a sign-in portal or through a sign-in popup.
My issue is if someones working on their computer then just gets up and walks away from the browser, the session expires, but they didn't realize the session would expire then return to their computer to finish their work. There is a regular ajax call that checks if the user has been inactive, and if the time threshold is reached their session data will be erased and the session is no longer active. There is then a popup window prompting the user to sign in again if they want to keep working.
The problem is, how do I protect any sensitive data in the HTML in the meantime? You might think if the session expires just redirect the user away from the page, but if they're in the middle of something I don't want to erase all of their work. I could try just hiding the HTML using javascript, but then someone could just open the inspector to see the HTML. is there some way I could prevent anyone from seeing the page data at all unless the sign in a popup is completed?
Thanks for any input.
I don't know of anyway to protect their work like you're asking.
I'd suggest saving the users work in a draft format, as they enter it. Then if they walk away and get logged out it doesn't matter, the work is still there when they log on next.
I just implemented Google JavaScript sign-in button to our homepage, and everything works the way it suppose to, but thats sometimes bad..
So the thing is that our users use our application on the same computer, 3-4 different users per day. Having a google sign in gives us access to implement some Google product features in our own site.
I understand that sign-in with google signs you into the Google account, and also gives permission to application.
Also i understand that this is the way it works to make the life easier for user, not to sign in each time on every site.
I can easily remove the application permission via GoogleAuth.signOut() or GoogleUser.disconnect(), even with GoogleAuth.disconnect(), so the .isSignedIn() will become false, so the user will always have the prompt screen, also i use prompt: 'select_account' on .signIn() to make sure even single user will get the prompt screen.
The problem is when the 2nd user enters to our login screen and chooses "Sign in with Google", he can actually choose any previous user in the prompt screen and enter into our application as not himself, but actually can choose the previous user and authenticate himself as the other without entering any password.
Password will be only asked if previous user also logs out from his Goole account.
I know a hack is to redirect user to URL:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=YOUR_REDIRECT_URL
But thats seems like a very poor solution, because our users use our application also with their personal devices, so its kind of bad if they get logged out from all applications they have signed into.
I know asking password on each sign in is not the way auth2 intended to work, but i'm sure there is a way forcing user to enter password on each time they press "sing in with google" button.
Ive spend multiple hours on searching for a solution and tried multiple things, i hope someone of you can point out the needle in the haystack that i missed
I site I am working on asks the user (using firebase, js, and native chrome) if it is ok to send them push notifications. They may say no and click the little block button. Fine... that is great.
Is there a way I can provide them an easy button to be asked the same question again if they change their mind? Currently, Chrome asks if they want to allow or block. If the user indicates they want to block, but can a create a "Send me push notifications!" that re-requests this permission?
Answer: No.
If user block permission via native request you can't do anything with that. But you can show them instruction how to unblock push by open settings. But you need to offer something very very valuable to a user. And expect low conversion.
The best way to subscribe users is to give them value before subscribe and require additional action. Example: show them HTML dialog with info about subscription and HTML buttons "Yes" and "No". When a user clicks "Yes" — show him a real request. If a user clicks "No" just close the dialog.
Later you can give more value to users who clicked "No".
You can find best practices here
There is an embedded device with a web interface. Configuration page contains various settings, including SMTP account for e-mail alerts. It's a simple HTML form with input elements, including password. When user opens the page, all fields are filled using JS with previously saved settings. The page contains also a button which causes navigation to another page containing some more settings. The problem is that when a user goes back from that page using Back button in the browser, then the password field is cleared. I suppose it's for security reasons but here it's just an annoyance. If a user goes back to the settings page and wants to change something then he has to re-enter the password each time. How can I prevent the password field from being cleared?
Without more data it is hard to be certain what is happening. What is clear is that the password should never be filled in automatically. The concern is that someone walks away from the computer and another user then gets access to the password as it is easy to show the clear-text of a browser password field.
I strongly recommend against you doing anything to automatically fill in the password. That said here's my thoughts.
The only thing I can think of would involve a custom (ie: one you write yourself) Tampermonkey script. Perhaps you can record the password in the script and then reinsert it. If you really want to go security-free you can try to change the password input to a regular input field. That may cause the browser to automatically fill it in for you.
I am currently developing a website where I am facing the following problem:
I tried passing the User id and password to the login page and auto submit the page using a script, which will take the user to the next page. This is just to bypass the login page in my site. This works perfectly fine.
When the "No script" add on is enabled on a Mozilla Firefox browser, the script to auto submit the form is not working. As a result, the login page is getting displayed to the user with the filled in user id and password.
Also, sometimes the user is able to see the login page on the front end when we auto submit the login page.
Are there any possible ways to overcome these two issues?
Redirecting the user's browser as you are doing now is really only possible client side with Javascript, which is always able to be blocked. You could store the user_id and password in a session variable and access that data on your login page which handle's the actual authentication. Doing it that way would eliminate the need for auto submitting forms.
But if you really want to use form posting you can emulate a form post with PHP using cURL, but this is a little more complicated.
cURL on php.net
Sending post form data with PHP and cURL
On my site, if the user is not logged in I run a "tryCookieAuthentication" method on every page load which checks to see if the "remember me" cookie is set. If it's set and everything seems legitimate, I go ahead and authenticate the user and log him in. This way the user doesn't even have to touch the login page. I don't know if this is what you're trying to do, but it might give you an idea.
If you already know the user_id and password when the user requests the login page then you could just send a location header