How to re-direct home page when the session id time is expire, not using auth id i have set the another value is session in Cakephp 3.0
You can most probably check validity via ->check() http://api.cakephp.org/3.0/class-Cake.Network.Session.html in your beforeFilter and then simply do a redirect
Related
I am using WSO2 identity server(wso2is-km 5.7) for multifactor authentication for an application.
I have set policy as:
First time login to application: Basic Authentication + email OTP.
This sets a device cookie in the browser, so when I logout from the application and try to login to the same application again it should just ask me for basic authentication.
Second and further login to application:Basic authentication(no email otp this time).
This whole policy works fine when i am carrying out this activity from intranet(Corporate network) but the same doesn't work if I try to login from internet(we have put WSO2 behind WAF[web application firewall]). Here i am being prompted for email otp even on second and further login to the application, meaning the device cookie is not being correctly set here.
Please refer the error below:[ERROR]
Error occurred when converting cookie value to JSON.Unexpected token END OF FILE at position 993
My guess is the cookie being set in the internet case is not proper(appended with some garbage value during SSL offloading at WAF).
How do i reslove this issue??
I have installed two different PHP frameworks Laravel 5.3 and Yii2 advanced. Both frameworks provide authentication out of the box which is great.
And both have the checkbox Remember me on the login page.
In Laravel, I have found that there is a remember_token field on users table which is as per my understanding used for the remember me feature.
But there is no such extra field on Yii2's user table.
So, I guess both provides the same feature but working differently. So I want to know that how that feature is working on both the frameworks?
Any help would be appreciated.
Note: I'm asking this because I have one system built with Yii2 and now I'm going to build a new system with Laravel. New Laravel system will use the same user table of the Yii2. Means the user can login into both the system with the same credentials.
Thanks,
Parth vora
Yii2 have auth_key - its default name, but you can define ur own column name and then declare it in identity class, which implements yii\web\IdentityInterface, in function getAuthKey().
The remember me function in Yii 2 (and most php frameworks) makes use of cookie-based login.
From the docs:
getAuthKey() returns a key used to verify cookie-based login. The key is stored in the login cookie and will be later compared with the server-side version to make sure the login cookie is valid.
Yii uses the auth_key field by default. That's probably the same field as Laravel's remember_token.
How it works is as follows:
Login with the remember me field checked.
Yii sets a cookie containing the user's (serialized) id, auth_key and duration (amount of seconds representing the duration of validity for this cookie). In yii2, the cookie name is specified by the identityCookie array in the config (user component).
All guests' requests are checked for the existance of the cookie, if it exists and is valid, the user is logged in.
That's basicly how cookie based logins work, so I'm assuming that Laravel uses a similar, if not exact same implementation.
I'm coding a web app use wicket 6.15.
I have a problem:
- login to web and login with user A (tab 1)
- open more tab (tab 2)
- make it experid session like change server time
- in tab 1, when do some thing, pageexpiredexception throw will make me go to login again, I login with user A (like before)
org.apache.wicket.protocol.http.PageExpiredException: Page with id '10' has expired.
-in tab 2, when do some thing pageexpiredexception throw make me go to login.
org.apache.wicket.protocol.http.PageExpiredException: Page with id '11' has expired.
How do I solve this? I want in tab 2 to continue without exception because it uses the same user account.
After creating the second session there is no page with id '11' in it, so PageExpiredException is thrown.
By default Wicket will try to detect the page class from the url and create a new instance of it. If it cannot detect it, e.g. the url is like "/wicket/page?11" then ApplicationSettings#getPageExpiredExceptipPage() will be used.
If the login page is being shown in your app then most probably you have custom IRequestCycleListener that catches PEE in its #onException() method and redirects to your login page.
You can try in wicket 7 to redirect to login page in WebApplication class
getApplicationSettings().setPageExpiredErrorPage(LoginPage.class);
once the login expired it will redirect to your login page.
after reading the oauth documentation on box's website, I understand the steps to get access_token and refresh_token, which requires authorization_code.
step1: send Get request to https://www.box.com/api/oauth2/authorize?response_type=code&client_id=CLIENT_ID&state=authenticated&redirect_uri=https://www.appfoo.com
step2: after entering credentials of box in browser and then click the "Allow" button, redirect to the specified redirect_uri with state=authenticated&code=AUTHORIZATION_CODE
step3: now with the AUTHORIZATION_CODE in the redirect url from step2, getting access_token can be done programmatically, by sending POST request to https://www.box.com/api/oauth2/token with AUTHORIZATION_CODE, client_id, client_secret in body and then parsing the returned json response.
My question is: is it possible to programmatically do step1 and step2 instead of via browser?
thank you very much!
The current OAuth 2 flow requires the user to go through the browser and can't be done programmatically.
It is possible, just imitate every form with cURL and on second step post cookies.
First time you will need 3 requests, next time only one (if refresh_token isn't expired, otherwise 3 again)
The point about imitating the browser transactions is a good one but instead of using cURL you would want to use a higher level tool like mechanize (available for ruby, perl and python). It will handle the cookies for you and can programatically traverse forms and links. Good for page scraping and writing scripts to order hot concert tickets from TicketMaster too!
If you have the authorization code, you then should be able to get the OAuth Token(access_token, refresh_token) via SDK, correct?
In response to aIKid, this is what I first do to get a BoxClient
BoxClient client = new BoxClient(clientId, clientSecret);
Map<String,Object> authToken = new HashMap<String,Object>();
authToken.put("exprires_in","3600");
authToken.put( "token_type","bearer");
authToken.put("refresh_token", clientRefreshToken);
authToken.put("access_token",clientAccessToken);
BoxOAuthToken oauthToken = new BoxOAuthToken(authToken);
client.authenticate(oauthToken);
return client;
Then, I have this to create a new user,
BoxUser createdUser = new BoxUser();
BoxUserRequestObject createUserRequest = BoxUserRequestObject.createEnterpriseUserRequestObject("someEmail.domain.com", "test user");
createdUser = client.getUsersManager().createEnterpriseUser(createUserRequest);
Now I'm trying to figure out how to do the RUD part of my CRUD operations on users and groups.
I need to log unique user sessions in Webmatrix / Razor / ASP.NET Web Pages. Does _appstart fire just when the app spins up the first time in IIS or does it fire once per unique user hit? If just once, how do I capture unique user sessions & settings?
UPDATE: I wasn't sure if the Global.asax events were fired under Razor / ASP.NET WebPages. I tested it out and the Session_Start event fires just fine. Question resolved.
void Session_Start(object sender, EventArgs e)
{
// Code that runs when a new session is started
Dictionary<DateTime, String> d = new Dictionary<DateTime, String>();
Application.Lock();
if (Application["d"] != null)
{
d = (Dictionary<DateTime, String>)Application["d"];
}
d.Add(DateTime.Now, HttpContext.Current.Session.SessionID);
Application["d"] = d;
Application.UnLock();
}
To directly answer your question, _AppStart runs when the first user hits your site. Future users to the site do NOT cause _AppStart to run. There is no specific page or place to put code that runs for each unique user.
What you want to do is take a look at the ASP.Net Session object. In your page, you can store and retrieve data from Session like so:
#{
// Retrieve
var someSetting = Session["SomeSetting"]
// Store
Session["SomeSetting"] = someSetting;
}
ASP.Net will take care of making sure that the setting is stored per-browser-instance using Session Cookies. Note that if you're in a Web Farm environment, you'll need something more robust, but when you're talking about a single server, this should be fine.
If you want some more info, here's the official documentation for ASP.Net Session State: http://msdn.microsoft.com/en-us/library/ms178581.aspx
You have asked about logging "unique user sessions", which is a little confusing. All sessions are unique, but not all sessions belong to unique visitors. Returning visitors will start new sessions. If you want to keep a count of sessions, you can hook into the Session_Start event in Global.asax. If you want to count unique visitors, use cookies. Set them when a user visits if one hasn't already got a cookie. Ensure that their expiry is some time well into the future. If the visitor hasn't got a tracking cookie for your site, they must be new (or they might have deleted their cookie...)