I have been playing with Auth of fatfree using two routes login and logout. The first time I used login in a url the dialogue box came up asking for username and password. After typing in a username which exists in the table field 'user_name' and password in field 'user-pass' I got true for $result so web page displayed it works. Interestingly I have not got code new Session(); anywhere yet when i then went to url /logout echo $f3->get('SESSION.pass'); was correctly displayed suggesting Auth starts a session.
In my /logout route after echo $f3->get('SESSION.pass');
I have $f3->clear('SESSION');.
Yet if I then flip back between /login url and logout url, the dialogue box no longer shows and logout still displays '1234' which is SESSION.pass. I would have thought that after going to /logout url the session would clear, so after going back to /login url i though it would bring up the login dialogue box to login.
In a nutshell my question is "how do you logout of Auth"? The documentation doesn't seem to mention it.
$f3->route('GET /login',
function($f3)
{
$db = new \DB\SQL('mysql:host=localhost;port=3306; dbname=accra_names2','root','victoria');
$user = new DB\SQL\Mapper($db, 'users');
$auth = new \Auth($user, array('id'=>'user_name', 'pw'=>'user_pass'));
$result = $auth->basic(); // a network login prompt will display to authenticate the user
$f3->set('SESSION.pass','1234');
if($result)
//result true
{
echo "it works";
}
}
);
$f3->route('GET /logout',
function($f3)
{
echo "you want to log out ";
echo $f3->get('SESSION.pass');
$f3->clear('SESSION');
}
);
Actually your question is "how to logout from HTTP basic auth".
There are several topics and answers about it here on SO, like this one How to log out user from web site using BASIC authentication?
So if you want full control about the login/logoff mechanisms you go probably better with own html forms instead of the browsers basic login box.
Related
I'm having trouble finding any documentation in regards to Google One Tap UX and how to persist signin state after a signin redirect. I am using the html api, check the code here:
setTimeout(function () {
let target = document.getElementById('google-signin');
target.innerHTML = '<div id="g_id_onload" data-client_id="x" data-context="signin" data-login_uri="https://x/account/google/callback" data-auto_select="true" data-itp_support="true"></div>';
var s = document.createElement("script");
s.src = 'https://accounts.google.com/gsi/client';
document.head.appendChild(s);
console.log('appended script', s);
}, 30000);
</script>
Essentially I am delaying this signin popup for 30 seconds, that part works fine but soon after this is what happens:
Sign in occurs
Redirect happens
Server redirects back to the referer page
After 30 seconds the process starts again
I would have assumed the google sdk would set a cookie or something somewhere but I guess it does not, either that I'm supposed to handle persisting signin state through my own means. I just want to know the correct approach here.
My question is: How does google know if a user has already signed in using Google One Tap UX?
Figured out a solution. Google allows you to put a property on your div tag called data-skip_prompt_cookie="yourcookie" this will skip the one tap prompt if that cookie is present with a truthy value.
What I did was on my server callback in asp.net I added a cookie to the response. This ensures the prompt is only disabled once someone actually signs in.
Response.Cookies.Append(
"yourcookie", "true");
This ensures when my server redirects back to the originating page, the cookie exists and the one tap does not show up again
I have a script that currently does several things. It creates a user account in Active Directory, writes data to a SQL table and sends an email to the account requestor with the account's user name and password.
We'd love to add a hyperlink to that email so that the requestor can click to view their original request form, but I can't quite seem to get the syntax right.
Because double quotes are used in the PowerShell syntax as well as the HTML link, I defined the link as a variable and inserted that variable into the -body section of the email to eliminate double quote confusion, though this may not be necessary.
Can anyone help me insert a link in this email?
Many thanks!
CURRENT COPY:
"The user account you requested (request #$ReqID) has been created."
We'd like $ReqID to hyperlink to the Web form.
THE VARIABLE I'VE DEFINED:
$link = '$ReqID'
But it displays in the email body like this:
The user account you requested (request #$ReqID) has been created.
Help?
Swap your quotes around, i.e.:
$link = "<a href='http://tsturl/detail.aspx?reqID=$reqID'>$ReqID</a>"
Or do:
$link = '$ReqID'
$link = $ExecutionContext.InvokeCommand.ExpandString($link)
Further to your comment, if you want the mail body to render as HTML, an thus display a link, then you'll need to tell your mail client that the body is HTML. $link is just a plain old string and doesn't know that it's HTML.
From your previous question, I'm guessing you're using the Send-MailMessage cmdlet. If so then you need to specify the -BodyAsHtml switch.
A user enters a page in my web application. If the cookie is expired I provide the user with a link to the login page ask the user to login again. If he clicks the logout button the cookie is set to expire in the past.
$cookie = $cgi->cookie(-name=>"CGISESSID",-value=>'', -path=>'/',-expires=>'-1d');
The cookie is being set correctly to expire in the past as seen in page info of the browser
However the page doesn't know that until I click refresh
my $cookie = $cgi->cookie('CGISESSID');
if ($cookie){
#show content
}else{
$cookie = $cgi->cookie(-name=>'CGISESSID', -expires=>'now');
print $cgi->header(-cookie=>$cookie);
print "Please log in again ";
print " Login page ";
}
How can I force the page to refresh so as to delete the cookie. If I redirect the page a simple back button will display the content even if the cookie is expired.
I have login.pl and login.js set up as in http://www.ibm.com/developerworks/webservices/library/ws-simplelogin/#loginJS
On logout, you can redirect to another page:
$cookie = $cgi->cookie(-name=>'CGISESSID', -expires=>'now');
print $cgi->redirect(-uri => 'http://www.example.com/login', -cookie => $cookie);
EDIT: I think I misunderstood your question. It sounds like what you really want to do is redirect as soon as the cookie expires. This is tricky. Say our user's session expires, but they just leave the current page open in their browser. Unfortunately, our CGI script won't run again until the user sends another request, say by refreshing the page. And until they send a request, we won't know if their session has expired.
One possible solution is set your page to auto refresh using an HTML <meta> tag:
use CGI qw(meta);
print $q->header,
$q->start_html(
-head => meta( { -http_equiv => 'refresh',
-content => '60;URL=http://www.example.com/foo.cgi' } )
),
...
This will redirect to your CGI script every 60 seconds, allowing you to check the session again.
On another note, there are really much better tools than CGI.pm for developing web applications in Perl: Dancer, Mojolicious, and Catalyst, among others.
try :
print $cgi->redirect($SS1);
# $SS1 is the url for login.html
I am making a login page in JSP. I have an index.jsp page where exist the form and some javascript scriplets. Connectivity to oracle database and checking for username and password in database is done in check1.jsp file
My issue is after entering username and password, when I press login button, I have linked the form to check1.jsp, if username and password matches and exist, it redirects to welcome.jsp , but if username doesnot exist or password is not matched I have to get back to index.jsp showing a small message below box that username doesn't exist OR Password is not matched, currently I am just redirecting to index.jsp.
How should I show that appropriate small message below login box on that same index.jsp page??
You can use session object here:
In check1.jsp :
if (loginSuccess) {
//redirect to welcome.jsp
}
else {
session.setAttribute("error", "Username or Password is incorrect");
//redirect to index.jsp
}
In index.jsp:
String msg = session.getAttribute("error");
if (msg != null) {
%><p style="color:red"><%= msg %></p><%
}
Also there is other more simpler ways exists with EL and JSTL, but its just for an starting tip.
You should not redirect to index.jsp, but forward to index.jsp in this case. Store the message in some request attribute, forward to the index.jsp, and display the message if it's present in the request attribute.
You should use an MVC framework, in order to always make your URLs point to actions (controllers) implemented in Java, make these actions call the business ogic (here, log the user in) and have those actions forward or redirect to the appropriate view (index.jsp or welcome.jsp).
Say a user is browsing a website, and then performs some action which changes the database (let's say they add a comment). When the request to actually add the comment comes in, however, we find we need to force them to login before they can continue.
Assume the login page asks for a username and password, and redirects the user back to the URL they were going to when the login was required. That redirect works find for a URL with only GET parameters, but if the request originally contained some HTTP POST data, that is now lost.
Can anyone recommend a way to handle this scenario when HTTP POST data is involved?
Obviously, if necessary, the login page could dynamically generate a form with all the POST parameters to pass them along (though that seems messy), but even then, I don't know of any way for the login page to redirect the user on to their intended page while keeping the POST data in the request.
Edit : One extra constraint I should have made clear - Imagine we don't know if a login will be required until the user submits their comment. For example, their cookie might have expired between when they loaded the form and actually submitted the comment.
This is one good place where Ajax techniques might be helpful. When the user clicks the submit button, show the login dialog on client side and validate with the server before you actually submit the page.
Another way I can think of is showing or hiding the login controls in a DIV tag dynamically in the main page itself.
You might want to investigate why Django removed this feature before implementing it yourself. It doesn't seem like a Django specific problem, but rather yet another cross site forgery attack.
2 choices:
Write out the messy form from the login page, and JavaScript form.submit() it to the page.
Have the login page itself POST to the requesting page (with the previous values), and have that page's controller perform the login verification. Roll this into whatever logic you already have for detecting the not logged in user (frameworks vary on how they do this). In pseudo-MVC:
CommentController {
void AddComment() {
if (!Request.User.IsAuthenticated && !AuthenticateUser()) {
return;
}
// add comment to database
}
bool AuthenticateUser() {
if (Request.Form["username"] == "") {
// show login page
foreach (Key key in Request.Form) {
// copy form values
ViewData.Form.Add("hidden", key, Request.Form[key]);
}
ViewData.Form.Action = Request.Url;
ShowLoginView();
return false;
} else {
// validate login
return TryLogin(Request.Form["username"], Request.Form["password"]);
}
}
}
Just store all the necessary data from the POST in the session until after the login process is completed. Or have some sort of temp table in the db to store in and then retrieve it. Obviously this is pseudo-code but:
if ( !loggedIn ) {
StorePostInSession();
ShowLoginForm();
}
if ( postIsStored ) {
RetrievePostFromSession();
}
Or something along those lines.
Collect the data on the page they submitted it, and store it in your backend (database?) while they go off through the login sequence, hide a transaction id or similar on the page with the login form. When they're done, return them to the page they asked for by looking it up using the transaction id on the backend, and dump all the data they posted into the form for previewing again, or just run whatever code that page would run.
Note that many systems, eg blogs, get around this by having login fields in the same form as the one for posting comments, if the user needs to be logged in to comment and isn't yet.
I know it says language-agnostic, but why not take advantage of the conventions provided by the server-side language you are using? If it were Java, the data could persist by setting a Request attribute. You would use a controller to process the form, detect the login, and then forward through. If the attributes are set, then just prepopulate the form with that data?
Edit: You could also use a Session as pointed out, but I'm pretty sure if you use a forward in Java back to the login page, that the Request attribute will persist.