Disable browser back button for a CLIENT_CERT auth webapp - javascript

My webapp has a CLIENT_CERT based JAAS authentication. I am using IE7.
When I click on logout, it takes me to my home page. Now clicking on the back button, the user should remain on the same page, which I acheived using history.forward() javascript. But the certificate dialog comes up since the previous page was secured.
How can I avoid the certificate dialog from not coming and also remain on the non-secure home page when user clicks on back button after logging out.

The only way to disable the back button within a window is to use location.replace() for every single interaction, which you cannot do if you need to submit any forms unless you target them to a hidden iframe and then do a location.replace() in reaction to the iframe's onload event once the form is submitted. This is really nasty and complicates everything.
The other technique to avoid users going back through pages (some online banking sites do it this way) is to launch the secure section in a new window, and have logout close it (you can force a close in IE with window.opener = null; before window.close();.

Related

Detect/Prevent Browser Close or Session Storage Unload in Javascript/AngularJS

How can I use javascript or AngularJS to detect the browser or tab closing and allow the user to prevent it through a dialog message?
I have an AngularJS app that saves data to session storage so that the user can refresh the page without losing their state and also have multiple separate instances of the app open in different tabs without having to sync data.
If the user closes the tab or browser then they lose their work in progress because the session is unloaded. I want to detect when the session is being destroyed and show a message to the user that informs them they will lose their work in progress if they proceed and allow them to select OK to continue closing the browser/tab or cancel to stop prevent it from closing. I only want to show the message on browser/tab close, not when the user hits the refresh button or navigates to a new page.
Note 1: I need to use session storage and not local storage because different tabs need to be isolated instances of the app and cannot share data.
Note 2: I've tried the unload and beforeUnload events but these don't work because they also fire when the refresh button is clicked or the user navigates away from the page. I only want to show the message before the session is destroyed, i.e. when the tab/browser is actually closed.
Note 3: This is a corporate app for internal company use and I know all the users and their use cases so I am not worried about annoying them with the popup message. I realize that preventing a user from closing the app would be a bad user experience on a public website but his is a very controlled scenario.
Ideally you could just use the beforeunload event lifecycle.. but as you mentioned you can't. From what I know, there is no other way to bind a method to a similar event.
That said, you might also want to reconsider your first note. You could create a hash for each new session, and store the session stuff under that key in localstorage.

Browser Back Button in Modal Window (Lightbox)

I am loading content from WebsiteA.com into a Modual Window (LightBox). The Modal Window is embedded on WebsiteB.com (and not WebsiteA.com).
The user is able to navigate within the Modual Window but if he/she clicks on the Browser Back button the Modual Window closes.
Is there a way to use the Browser Back button to navigate within the Modal Window?
Regardless of being on one website or two, it's not possible to override your browser's back button, due to security reasons (e.g. "fake" browser navigation", countless phishing opportunities, etc).
If they were on the same website domain, you could get around this using various methods, such as redirecting to the same URL, but with a different hash fragment.

How to count outgoing links with Google Analytics in accurate and user friendly way?

Most resources suggest using onclick handler with trackEvent() for tracking outgoing links. BUT this way does not work with all navigation methods! It won’t work if you click with middle button (except Chrome) or control-click (except Chrome and FF) to open new tab, if you right-click and select new tab or window from context menu or if you drag link to another tab. Is such cases onclick is simply not called. You can check it with very simple link:
GO
Putting JavaScript in href attribute breaks the link in all cases when new tab or window is opened.
Putting onclick in span that looks like a link, will not allow users to decide if they want to open in new tab or not.
Finally, going through a redirect page, which tracks outgoing event, causes problems with back navigation – when users try to go back, they get back to the redirect page and then JS again redirects to the destination page. They need to click back twice … quickly.
Is there a better way, which would be both accurate and user friendly?
Context menu can't be detected by using JS. So if you want to catch that you need to use the redirect method. To fix the back button problem, redirect using location.replace to remove the tracking page from the back-button history.
I don't know any details about Google Analytics. In general, to track users' external navigation:
<a ping> is made for this purpose. If ping is not available, fall back to changing the links to go through a redirect page. Use a 302 redirect to prevent it from showing up in history; if you can't, try javascript:window.location.replace().

Capturing F5, Back, Forward, clicking on link actions

I want to show a popup when a user close the browser and that popup will redirect to some google survey that we need to do.
Currently by using onbeforeunload function in JavaScript it's prompting me the popup but I only need popup when the user closes the browser or they enter a new url.
Is there any way to prevent this function to not fire when page is refreshed, or user goes back or forward and if it can be done then how will I redirect to a survey page. Or if we can't prevent then there is any logic to do this.
No, this is not possible. These events are outside your control for security reasons.
You're probably best off finding a different solution for your problem.

Facebook Connect Bug - JavaScript Refresh

Facebook Connect has a recent bug that is causing the permissions pop-up window to not close and refresh the parent window as it is designed to do. Instead, after approval by the user it attempts to load the page directly in the pop-up window which is an awful user experience and really hurting our registrations. You can see the bug by registering for our site using Facebook Connect: http://alltrails.com
The URL of the page after the user connects that Facebook Connect is incorrectly loading in the permissions pop-up window is of the form:
http://alltrails.com/?installed=1&session={"session_key":"2.Gu0duOqdElNjXRac5wnetw__.3600.1283799600-1486832834","uid":1486832834,"expires":1283799600,"secret":"tKFaEgBTF9RJeuQZfYUSCw__","base_domain":"alltrails.com","sig":"a8dd9f75418b530ae6c3d935e14274c4"}
I'm hoping that someone much better at JavaScript than myself could suggest a simple code snippet that we could add to our homepage that would only be invoked if the page URL includes '?installed=1' and would do the following to allow the same user experience as Facebook Connect was intended to provide:
Close the permissions pop-up window
Load the appropriate page http://alltrails.com/register/facebook in the original parent window
I've tried to do this a bunch of different ways but haven't had any luck with getting it to work correctly. Thanks in advance for your help!
It's a (unconfirmed) bug.
http://bugs.developers.facebook.net/show_bug.cgi?id=12260
Hopefully it gets more votes so it gets fixed - vote people!
In the meantime, i am (attempting) to employ the following 'creative workaround':
Add logic to my Default.aspx page to detect that URL they are redirecting to in the popup.
Redirect to my page, FacebookInboundAuthorization.aspx, preserving querystring.
On load of that page, register some JavaScript to close the popup and manually fire the "onlogin" event handler for my button.
EDIT - Another possible solution
So i do something like this for the "Disconnect from Facebook" button, which has a similar bug which has been in FBC from day 1. If the user is already logged in, and you click the "Disconnect from Facebook" button, the "onlogin" handler is not fired.
So what i ended up doing is replacing the Facebook Disconnect button with my own regular anchor tag, mimicing the Facebook CSS. This way i can have full control over the click event (fire the function i want).
So, this principle could (theoretically) be applied to this current bug.
That is, after you do FB.Init on client-side:
Check FB auth status using FB.Connect.ifUserConnected
If user is connected, hide the regular FB:Login button, and show your "fake" FB Login button. Copy across the "onlogin" function from your regular FB:Login button to your fake button as the onclick event.
Your Fake FB Login button would be a regular anchor tag, with the same CSS applied to the regular FB Login buton.
So essentially, if the user is already connected, we don't really need FB's intervention for authentication, we can just do whatever we want (request perms, redirect, etc).
That should work.
Unfortunately i have higher priority things i need to work on, but it sounds like this is top priority for you.
So give that a go, hope it helps.

Categories

Resources