I'm making a project in primefaces and I'm puzzling in something simple.
The objective is:
When an AjAX request is made, send something to the browser so that it knows the session has expired.
By knowing that the session has expired, it knows it must display the login form (the contents are inside a <template> tag) in a popin (modal(?) box) and it displays it.
When the user tries to submit the form, the js intercepts the submit event and it sends the login using AJAX.
On successful login, re-send the previous AJAX request that had failed due to session timeout.
Update:
To solve this, I decided to use, a filter, I was able to do the request interception and I was able to analyze if the session had timed out. Given that, there seem to be a specific header that is always sent when it is a request using DOM's XMLHttpRequest(), so I can use that to decide the kind of answer it should give for session timeout.
With that, I send the answer to the client... Now what?
This is something super simple I had already made when not using any framework at all but now, using primefaces, I can't seem to be able to even get started, I have no clue how to do it.
This is on primefaces 5.0 with only its dependencies.
Related
I need to fire Session.Abandon() when a user leaves the page he is watching.
If the user just refreshes the page session must be kept.
I tried to do this client-side firing an ajax call when unloading the page window.addEventListener("unload", function(e)... but I'm not able to distinguish if the user is just refreshing the page or is leaving it.
I'm currently usuing ASP.NET MVC5.
Any suggestion, please?
There is no straight-forward way to do this... The question is: why would you want to do this anyway? Feels like bad design to me.
You could handle some navigate event and check if the domain is the same as you currently have. If not, fire an AJAX call to abandon the session. Make sure to make that call a HTTP POST with a CSRF token to be sure not to be vulnerable to CSRF.
I have a Laravel Project (including authentication users). I need to log session duration time. That's easy if the user click on logout, but what about if the user closes the tab/window?
I thought to use JavaScript to manipulate that events or set a timeout to send an ajax request to the server to say "Hey! I'm online!" and then update session duration, but it seems is not efficient.
Any ideas?
There is no way to know for sure if a user is still loged in on your website. The closest way to check for this is indeed to use a javascript that makes an ajax call every x seconds. This is what Facebook used to do to check if users are still online.
I'm making a google-chrome-extension for a certain website, and want the browser_action to display the number of notifications a user has received on said website.
Currently, I am using an ajax request to retrieve the HTML from the website/messages page, and then I am using jQuery to count the number of "#unread > li" elements in that HTML (each one representing a new message.)
Now, I take this number and display it on the browser_action icon.
All works perfectly, the correct amount of messages are notified, BUT the user must be logged in on the site (not my site) for it to work properly, otherwise they will think that they have no messages.
I was thinking that I could detect if the user is logged in, and if not display a red ! exclamation mark on the icon. Then, when the user clicks to show the pop-up, it asks them to log in.
However, I have no idea how to actually log the user in to the website using this method: how do I send the credentials across? Or does the website have to support a request like this?
TL;DR
How can I log a user into a website I don't own remotely?
Disclaimer: I've never done a google chrome extension, but based on the rest of your question, it sounds like it's just working with JavaScript like any other web page, so I'll go ahead and answer it.
In any case, working with cookies in JavaScript can be somewhat of a pain:
https://developer.mozilla.org/en-US/docs/Web/API/document.cookie
http://www.perlscriptsjavascripts.com/js/cookies.html
I'm assuming that your server side already works with and expects cookies, so I won't try to suggest any alternatives. That being the case, your server is what needs to validate the cookie, so, IMHO, might as well set the cookie on the server side. If the server handles it, on the JS side, you simply post the username/password to a server-side page, e.g.
$.post("/user/login",{"Username":"foo","Password":"bar"},callback);
That server-side page validates the username/password and then, if successful, generates the cookie and sends a response back to the JavaScript (e.g. {"IsSuccess":true}). Upon receiving a successful response rather than an error, you just start calling the other web services to retrieve your data assuming you are logged in and build out the page.
Assuming that your web services will return HTTP error codes that help you determine a problem with the session, if you get a 401 error code, you take the user back to the login page. If you get a 403 error code, you let the user know they can't access that data...etc., all depending on your app.
Ultimately, JavaScript doesn't know whether a user is actually logged in, so you have to rely on the server to send you information in a way that is understandable so that you can direct/prompt the user as necessary.
[Edit: 2014-11-21]
You didn't answer my other question: what do you get back? If they don't set the cookie themselves at the login, then you need to get back the session token from the response they send...if they don't send you a session ID, you're SOL. If they do send you an session token/session ID, then you need to know what to name it (e.g. PHP uses something like PHPSESSID as the cookie name, but it can be whatever the coders of that domain decided on). Beyond that, you have to be able to set the cookie for THAT domain name (3rd party cookie). This may have mixed results depending on the user's settings--if they block 3rd party cookies--however, since this is a google extension and not a website, maybe it's able to bypass that kind of restriction. I know that FireFox's developer toolbar is able to manipulate cookies for all domains, so it would be a reasonable assumption you would be able to as well.
I have been thinking over this issue from past few months. Recently, I have started with complete JS Built front-end, where the forms are posted using Ajax.
I have a doubt, how to recognize on the server side, from where the data is coming from. Is it coming from actual form event or it is coming from browser console.?
What I have tried:
Creating a two way handshake: Before posting the form, the Application will contact the server, and the server will send a token inside the cookie, which will be sent back with the form post. But, even if we post by browser console, that cookie will go carrying the token. So, Failed.
Binding Hidden Field: But if someone, is posting the data from browser console, he would definitely look for the hidden fields as well. Basically, he'll replicate my AJAX to send the same request, in the same fashion. FAILED!!
I am not able to figure out this part. Can anyone help?
Thanks in advance.
Rule #1 of programming for the Internet: Never trust anything from the client. EVER.
Rule #2 of programming for the Internet: Never trust anything from the client. EVER.
Rule #3 of programming for the Internet: You can not make the client trustworthy.
I know the first rule is duplicated twice, but it is worth it.
There is simply no way to do what you intend to do.
A person who wishes to send data to your server, via an AJAX request or a POST request, can easily do any of the following:
Modify the form using browser tools or a proxy and force-feed in whatever information he wants.
Capture the entire transaction, through a tool like fiddler2, and change the values and re-send them. No browser needed.
Modify the code running from your site to send (or allow) whatever data he wishes to send.
Use a tool like Curl to fake an browser and send whatever information he wishes to.
There is simply no way of knowing, on your server, where that information came from.
From a security point of view, you simply can not trust anything -- ever.
Validate the credentials, give the user a login token (usually a cookie) and then still be suspicious of everything the client sends you. If there is something that shouldn't be changed or updated, make sure your back-end doesn't allow it to be changed or updated.
We have tons of code in our application that looks like this:
if (user.HasPermission("MayUpdateFirstName") {
record.FirstName = FormData.FirstName
}
That way, if FirstName is passed in, and the user can't modify it, then it doesn't get modified.
I'm building a client-side ajax login for Asp.Net MVC by doing jquery posts to the controller to log in the user.
What I'm wondering is when the user goes to log out, should the page refresh? (for security reasons)
This tutorial here says:
There will always be a page refresh on
logout. This is necessary to ensure
that any user-specific information is
cleared from the page.
And I figured since it's tutorial on doing client-side ajax login's that there must be a reason why they did it that way. If I do an ajax logout, is it safe to just switch everything to an anonymous view without reloading the page?
You don't need to refresh, Ajax is a simple HTTP request, so if the request properly logs you out on the server, you just need to make sure there's no relevant data left on the client, for example in a JavaScript object or in a cookie.
In any case you can still clean everything up without a page refresh.