I am creating a Forms Authentication in MVC using
`FormsAuthentication.SetAuthCookie(userName, model.RememberMe);`
And in Controller we use [Authorized] attribute to make sure user session is valid and has not expired. It works well when user move from one page to another. And if Cookie is expired then Login page is shown again.
Problem is with the one Page (Dashboard) which makes Ajax calls to server (Controller) to refresh some items on the screen every minutes.
As per company policy we can’t have session more than 30 minutes. So if this page remain open for 30 minutes and session expire we would like to redirect to Login page.
Currently if session expires this page still remain as it is but stop getting refreshed and then user complains they can’t view data. Of course they can see it again once they refresh the page but is there any way using which I can find using JQuery or Java Script that FormsAuthentication cookie has expired
Of course they can see it again once they refresh the page but is
there any way using which I can find using JQuery or Java Script that
FormsAuthentication cookie has expired
Yes you can. Phil Haack wrote a very nice blog post explaining how you could prevent the Forms Authentication module from simply redirecting to the login page but instead return a 401 status code which your client AJAX call might catch and use window.location.href to manually redirect to the login page.
http://haacked.com/archive/2011/10/04/prevent-forms-authentication-login-page-redirect-when-you-donrsquot-want.aspx/
He also wrote a NuGet called AspNetHaack which you could use and if you are interested browse the source code here: https://github.com/Haacked/CodeHaacks/tree/master/src/AspNetHaack
Related
I have searched this for long time, unfortunately I couldn't find a helpful answer. when a user accessing my asp.net mvc 5 application and do a clear cookies from his browser, how can I detect that the cookies has been flushed and sign out the user without refreshing the page?
I have noticed this feature in Gmail. it automatically detects cookies flushing and redirect you to the login page.
Any thoughts?
Almost every login pipeline use cookie.
Usually you store some sort of userHash or even loginToken in cookies on login action.
So you don't detect that cookies flushed. You just check cookie exists on every request and if not - you redirect user.
I've been fumbling around with different client side technologies, like AngularJS, EmberJS, even trying to use straight JQuery and figure out how to use ReactJS with it. That aside, my goal is to build a single page app using json in between the client and a Java Jersey 2 jax-rs back end api.
I have two stumbling blocks right now. Some info though..I am deploying my app as a WAR file in Jetty. My back end is java based. I am using only jquery in the client side as of now.
My main stumbling block is how to handle login, logout and session management. With an rest API and using ajax, I have login working, including it setting a cookie. My concern however is with a single page app, there is just the one index page, and if the user closes the browser, then reopens it to the index page while the cookie/session is still good, the user should be logged in, not see the outside (not logged in) page. I am unsure how to handle this, whether it be a jsp page, index.html with some templating library, etc. With JSP I can insert some scriplet code (against my better judgment). In the old days I'd include a header that would check for request.getSession().getAttribute("user") and if it was there..the user was logged in and using scriplet if() code I'd display a logged in header, instead of the non-logged in header. But I am in the belief there has got to be a better way to do this with todays client side JS frameworks.
The other stumbling block is the navigation and dynamic aspects. For example, when I was messing around with angular js, it was easy enough to use Welcome {{name}} and within the scope replace name with a json response value for the logged in user. In my current situation, I am not exactly sure how to best go about displaying dynamic bits like this with pure jquery other than using some sort of $("#elem-id").innerHtml="..." code within the response success method of an ajax call. As well, I am not quite sure how to handle navigation to different pages. My logged in site will have some drop down menus or links that will replace the content area with different varying amounts of content.
So first, what are some ways in a SPA to handle user sessions, in the case of a page reload, or close/crash browser restart.. to ensure the user is still logged in and direct them to the right page? Second, what sort of templating and routing/navigation options exist that don't require me to put a huge ton of code in my one index.jsp page?
Thank you.
If you're having a REST API as the back end, then you must have implemented oAuth as an authentication mechanism. That is, when your user logs in, using a username and a password, you exchange that data with an authentication token. This authentication token is sent your server with each and every API call and your backend validates this token before servicing the request. Clear so far?
What you could do is, when you obtain the access token, you can also obtain the access token expiration time from the server and store that data in your client side app. In localStorage maybe? And when your user closes the browser and reopens again, you can first check whether such access token is available (and not expired) before asking the user to log in. This should solve your first problem.
Secondly, if you're looking for a lightweight routing option, I recommend director.
I am building a similar application. OAuth is not mandatory. You can have normal sessions etc by hitting the jersey login endpoint and setting a session and a cookie "keepme" with the session if user wants to be persistently logged in. You can then have a jersey AuthFilter for example check if either there is a cookie with a valid session or an active session and keep the user logged in.
Your frontend application should have no say over this, just communicate with the server and if it doesn't get unauthorized access (from the AuthFilter) then continues otherwise it displays the login page.
Using JavaScript I would like to automate the submission of data via a form POST to a website that requires a login. Using a browser, I am able to login to this site and create a session. On another tab of the same browser, I would like to open up a second tab on the same browser and load the page where my JavaScript resides and allow the JavaScript code to interact with the website session I created on the first tab so the data being posted is admitted as the session I am logged on from the first tab.
The purpose of this is to automate the posting of data to this website that requires login.
I have the JS that does my form POST automation. However the issue I am encountering is that the JS fails to post to the website because it does not seem to detect or use the session information from the previous tab and therefore thinks I am not logged in.
In short, how can I allow the Javascript http request running in one tab of my browser interact and take advantage of a session I have created with another website I have logged in in another tab of the same browser?
It turns out that i needed to add the withCredentials property to the xmlHttpRequest. Doing this allowed me to impersonate the cookies i already had set on the other tab.
My app has a session timeout after 30 minutes. If the user has a "permanent login" feature activated, then on a subsequent HTTP request the server reads the "perm session" cookie and restores the session.
However, if the user does not reload or navigate to another page after his session expired, but rather clicks on a button that retrieves data via AJAX, the session is not resumed; in the DIV where the data was supposed to be loaded into, a login window appears instead.
This leads me to an assumption that AJAX calls do not carry cookie information with them. Am I correct, or have I missed something else?
Update:
backend: symfony 1.2 (PHP framework),
frontend: Prototype
Update2: it was a bug in the application, not an issue with cookies
Sounds like you are restoring the session, but not providing a new auth cookie. You might want to try a technique that I've written about on my blog of having a client-side timer that will prompt the user right before the session times out and, when they click OK to renew it, will make a request that will serve to keep the session and authentication cookie alive. You can find more info at http://farm-fresh-code.blogspt.com. The article is titled Client-side Session Termination.
An XMLHttpRequest call should carry cookie information like normal. You may be running into a bug. Are you ensuring the call is from the same domain origin?
Perhaps your cookies are also expiring? More info might help .. :)
I'm building a client-side ajax login for Asp.Net MVC by doing jquery posts to the controller to log in the user.
What I'm wondering is when the user goes to log out, should the page refresh? (for security reasons)
This tutorial here says:
There will always be a page refresh on
logout. This is necessary to ensure
that any user-specific information is
cleared from the page.
And I figured since it's tutorial on doing client-side ajax login's that there must be a reason why they did it that way. If I do an ajax logout, is it safe to just switch everything to an anonymous view without reloading the page?
You don't need to refresh, Ajax is a simple HTTP request, so if the request properly logs you out on the server, you just need to make sure there's no relevant data left on the client, for example in a JavaScript object or in a cookie.
In any case you can still clean everything up without a page refresh.