I am currently developing a website where I am facing the following problem:
I tried passing the User id and password to the login page and auto submit the page using a script, which will take the user to the next page. This is just to bypass the login page in my site. This works perfectly fine.
When the "No script" add on is enabled on a Mozilla Firefox browser, the script to auto submit the form is not working. As a result, the login page is getting displayed to the user with the filled in user id and password.
Also, sometimes the user is able to see the login page on the front end when we auto submit the login page.
Are there any possible ways to overcome these two issues?
Redirecting the user's browser as you are doing now is really only possible client side with Javascript, which is always able to be blocked. You could store the user_id and password in a session variable and access that data on your login page which handle's the actual authentication. Doing it that way would eliminate the need for auto submitting forms.
But if you really want to use form posting you can emulate a form post with PHP using cURL, but this is a little more complicated.
cURL on php.net
Sending post form data with PHP and cURL
On my site, if the user is not logged in I run a "tryCookieAuthentication" method on every page load which checks to see if the "remember me" cookie is set. If it's set and everything seems legitimate, I go ahead and authenticate the user and log him in. This way the user doesn't even have to touch the login page. I don't know if this is what you're trying to do, but it might give you an idea.
If you already know the user_id and password when the user requests the login page then you could just send a location header
Related
When the logged-in user clicks on the browser back button, he falls back to the login page from the main page he entered. And this happens without being routed in any way and running the controller functions because the browser's cache is loaded. I tried to clean all cache via middleware, but it didn't happen. Then, if the user tries to fill in his information from the login page and enter again, 419 page expired error is coming. I tried to do this with session checking method. I gave a key to the session, but the controller didn't recognize the key in the session because it didn't work. I looked through the history library (history.js) but couldn't find the solution as I wanted. My aim was to log out when the user presses the browser back button and show a box like Are you sure you want to exit, and then allow him to log in again. unfortunately, I couldn't do this in laravel I really need help and I can't find solution I think it can be done with AJAX or JS but I'm not sure. I am suffering from this situation for days. Your help will be rewarded. Thank you to everyone who has already read.
I have created a login page using HTML and JS. It has a form and a submit button. When a user enters invalid credentials, an error message is displayed on same page (it is displayed below the form). However, Facebook, GMail, Hotmail, etc, redirect the user to another page if credentials are incorrect. Why do they choose that approach? Is it related to security? Thanks in advance.
It's primarily a matter of personal choice. If you are creating a single page app with angular or the likes, the cleanest (and my preferred) method is to do as you are and display the error message there. If you want the error to be more "meaty", a redirect serves your purpose. Usually displaying the error on the same page is sufficient though.
I've a login page and some pages managed with session after login. If a user bookmarks a page after logging in, and tries to access the same bookmark later, I want that page to be redirected to login page again to enable secure access. How can this be achieved with jsp. Or is there some other way like javascript,etc., I would appreciate any help on this.
Thanks in advance.
IT's hard to say for sure without seeing any code. Essentially what you need to do is check the users session to see if it is still valid and then do the redirect if it is not valid.
you can redirect in JavaScript via
window.location = "Redirect Url"
You say you are using JSP so check this question, it looks to be what you need to do.
Checking if a user is already logged in or the session is started in jsp
I need to setup a Master Site that would embed Site 1 and Site 2 in iframes, login and start user sessions within them.
Site 1 (RoR) and Site 2 (unknown framework) has got their own authentication (username, pass, cookies, usual framework security).
Master Site (PHP) server has direct access to Site 1 database and I know the password hashing algorithm so I can validate Master Site's login password against Site 1. Site 2 can get their passwords to be changed accordingly if needed, but no access to db nor framework.
I cannot change anything in either Site 1 or Site 2, unfortunately. I can only build around it though full read access to Site 1 is present.
I've sketched a quick diagram to better show what I mean/need:
a busy cat http://gettaxi.me/public_img/help.png
I need to start a user session inside an iframe. The login credentials of Site 1 are identical to Master Site's as they come from the same db, credentials for Site 2 will be assumed same (might just show login failed if they're not).
Idea list so far:
I could record the login credentials into Master Site cookie and use it to populate the iframe fields. Maybe store an encrypted version and decrypt when needed? But still, storing a password in cookies (even encrypted) seems absurd.
Same as above but store it in Master Site session variable.
The idea of cross-domain cookies seem useless here because every site has to set it's own session cookies, one website can't set it for another...
I've never dealt with anything cross-domain like this so before. So before I go and start coding things like a mad man that might or might not work - I turn to you for help and advice! How would you go about accomplishing this? Is this possible at all?
Additional questions:
Do cookies set by Site 1 and 2 from within iframes behave the same? Are they persistent and if I'd open the same website NOT in an iframe later, would they be accepted?
If storing credentials (cookies/session) is the only way to go: how would I then populate the login fields in an iframe and submit the form? Javascipt? Some neat GET/POST/redirection trick?
Thanks in advance!
Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.
User logs in to Master Site
Validate credentials
Generate a random client token
Encrypt the password with that token and store the crypto in a session variable
Set a cookie and store that token in users browser
jQuery actions when Link to Site 1 or 2 is clicked:
Send an ajax request to server with that token
Validate user session and decrypt stored password on success
Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
Submit that form with target="iframe"
Clear those form pre-filled form fields
Vuala, a working cross-domain iframe auto-login...
Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.
Update:
Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.
Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon
Got a very strange issue, never seen it before. Basically in the admin section of our website, a user attempts to edit something by clicking a button.
This button attempts to call a webservice (via jquery, which the page will then use to show an edit form in shadowbox).
However the user informs me that instead of the form popping up as usual it is blank for a few seconds. Then this pops up:
Any ideas? The webservice is in the admin section, which requires the user to be in a role (which the user is, otherwise they would never get to the point of being able to click the edit button).
This is normal if your web service is located on a different machine as your web server.
If the two machines are on the same domain, then the browser will attempt to use the default network credentials that has been cached.
This dialog will also pop up if the default credentials used to access the web server (which could be anonymous) does not have access to the resource (folder) where the web service is running. The pop up gives the user an opportunity to enter another set of credentials.