I setup a SPA authentication with Laravel Sanctum, it works fine. I login successful with an user. In Chrome Devtools, Application > Storage > Cookies, I copy and save the values of laravel_session and XSRF-TOKEN to a text file, then logout and delete all cookies and refresh browser, here I logged out.
Then I re-open Devtools, restore the values of laravel_session and XSRF-TOKEN manually, refresh browser, now my status is logged in.
Is this normal? Is this the way that cookie based session authentication work?
Thank you.
I was running into the same issue. My problem was that I called Auth::logout() instead of Auth::guard('web')->logout(); inside my AuthController in Laravel.
By using Auth::guard('web')->logout(); the cookies seem to get revoked by the server and can't be used for authentication any more.
By the way, I found the answer here: https://stackoverflow.com/a/63449251/10095327
Related
I have configured SSO for Jenkins via google workspace.
https://support.google.com/a/answer/9002495?hl=en
This works as expected but after the session expires or when trying to login after closing the tab, it gives below error. Clicking log in just keeps redirecting to the same error page.
However, it works after clearing cookies every single time before logging in. Any idea why this is happening or a solution to login without having to clear browser cookies every single time?
Thank you in advance.
Google does not support SAML SLO, so this message seems to be expected behavior (meaning that the app could expire their login session but Google will remain logged in).
What I can recommend is to change the session limit on Jenkins and I found some references about it, hope it can come in handy:
References:
Jenkins login session timeout
Github -Jenkins session timeout configuration
I have a website freshly deployed on the internal network of a client. I can test it only by remote desktop on a Windows Server 2012.
The website performs SAML authentication: the browser first receives a session cookie from the website, then is redirected to the SAML identity provider, and comes back to the website with the SAML response, where it also sends back the session cookie. This works fine with Chrome, but for some reason IE11 won't send back the session cookie, which prevents the server from accepting the SAML authentication.
I have no idea why IE11 fails to send the session cookie. I have checked in the Network pane in debug tools, and I do get the cookie (though I can't confirm IE is actually storing it) :
Set-Cookie ASP.NET_SessionId=yzk4rdznlg534so2xuxqmuv4; path=/; HttpOnly
Then I am redirected to the identity provider, but when coming back to the website, it doesn't send the cookie. The cookie is HTTP only so I can't check in the console if it is stored or not. I have used the instructions posted here to see stored cookies, and I can't see a cookie for my website at any time (though redirections happen fast, so it could possibly be added and then removed before I have a chance to see it).
I also believe I have explored all possible security and privacy settings to allow everything, to no avail.
In case it's important, the site URL has no dot (it's https://mmr-pp_sef/)
Any idea how I could troubleshoot what is (or isn't) happening?
Well, turns out that it IS related to the URL used (should have checked myself sooner instead of just pointing out that the URL was weird in my question).
Apparently, IE will not store cookies if there is an underscore _ in the host name. This can be verified by modifying your "hosts" file:
Open the file C:\Windows\System32\drivers\etc\hosts (you'll need admin rights)
Add this line at the end and save the file:
127.0.0.1 test_site
Enter the URL http://test_site in your browser (this assumes your web server listens on 127.0.0.1)
Observe that IE won't store any cookie.
The only workaround I have at this time is to use another host name, that does not contain an underscore, such as test-site.
I'm developing an app that logs into a HTTPS website. After authentication, the website sends a final cookie that is marked as 'Secure'.
The app works when I use defaultSessionConfiguration() for NSURLSession().
When I change one line in the app to use the backgroundSessionConfigurationWithIdentifier() then I can't proceed past the authentication stage. I do get a webpage showing that I am authenticated but subsequent requests return the login page.
It appears that the "authentication successful cookie" is not present in the shared cookie storage.
This cookie is the only cookie that the website marks as "Secure". Note that this HTTPS website does all it transactions via HTTPS.
TL;DR
What does the NSURLSession background session do differently from the default session to lose a Secure cookie??
EDIT: I've done some more work.
When NSURLSession redirects using the backgroundSessionConfiguration it appears to ignore cookies that were sent in the Header of the redirect? (I think the cookie being "Secure" may not be critical.)
The redirect works correctly when the defaultSessionConfiguration is specified.
It turns out that this is a known bug. Apple r. 16,852,027.
The backgroundSession is known to ignore new cookies on redirect. The solution is to use a defaultSession to get the cookies and then continue using backgroundSession.
See Apple Developer Forum post
I'm using shibboleth authentication in my application, and when user clicks Logout button, he will be directed to the ~/Shibboleth.sso/Logout link, it seems like a success when button clicked, but if I try to login using shibboleth one more time, it will not redirect to the Shibboleth Login page! instead it shows the previously logged on user (that I've logged out).
So session seems to be persistent even after logout!
But if before signing in again, I closed my browser, the user is redirected normally to the Shibboleth Login page.
So it seems like a session state or cookie problem!
I've used the following code to solve it:
if (Request.Cookies["shibsession"] != null)
{
HttpCookie myCookie = new HttpCookie("shibsession");
myCookie.Expires = DateTime.Now.AddDays(-1);
Response.Cookies.Add(myCookie);
}
Response.Redirect("~/Shibboleth.sso/Logout");
But it's not working!
Can any one help?
The URL Shibboleth.sso/Logout hit at Service Provider has no control over the IdP's session, nor could it. It can send SAML logout requests, or issue proprietary redirects.
Best practice: Logout handler should be handled by Identity provider.
Closing browser is only option after doing logout. Logout doesn't work at scale and it never will unless the browser vendors cooperate and just do it themselves. So you
could assume that closing the browser is the only option and that still
requires clearing cookies on latest browsers Chrome or Firefox.
I am using JSF richfaces 3.3 on websphere server 7.x.
The problem is when
user logged in to the application using a browser window and had kept it open for more than LTPA token time out time then LTPA token expiration exception is occurring. Then page is not redirecting to the "logout" page configured. But it getting redirected to the Login page and after successful login then a weird xml page is displayed.
I understand that this is happening because on LTPA token time out when we try to access a JSF resource, as no authentication details are present page is being redirected to login page.
Then as no proper session is present Faces context is still trying to access previous session JSF tree this exception is occurring.
So Question is: How to handle this scenario of LTPA token time out in JSF richfaces3.3?
P.S.: Page is getting redirected to "logout" page on web session expiration.
Vamshi,
If the LTPA token has expired and you try to access a secured resource it will naturally take you to the login page.
That is the expected behaviour!
After you login again you go back to the page you had requested. Depending on your app, either a new HTTPSession is created or it might not even be created during this.
The application should be built to handle this. One approach could be to redirect the user to the main page of the application stating that required information is not available and that you are redirecting the user (after examining the HTTP Session for required information)
HTH