I have remember-me implemented in my spring boot app, as I can see cookie is created correctly after login, with proper expiration time etc. But this cookie doesnt survive app restart on my Tomcat server. Scenario is simple. User login with remember me and cookie is available in browser. Then we do app redeploy in Tomcat and now, when user refreshes the app in browser window, he is logged out and cookie is deleted from browser. Shouldn't the cookie survive this and allow automatic login even app restarts in Tomcat?
Here is a snippet from my SpringBoot security config.
app.logout().deleteCookies("nh_remember").logoutSuccessUrl("/").logoutUrl("/logout").permitAll().and().rememberMe().rememberMeCookieName("nh_remember").tokenValiditySeconds(1209600).key("xxxxxxxx")
You have to persist the token between restarts of Tomcat. Check out the documentation: http://docs.spring.io/spring-security/site/docs/current/reference/html/remember-me.html
Specifically you need to setup a PersistentTokenBasedRememberMeServices which contains information about the database that you persist the tokens too.
Related
In my application I have used several session variables, but not given any session timeout in web.config. I have used authentication mode as none in web.config.
But after some inactivity time, its logging out and redirecting to login page. It should remain and all operations should carry as it is even though I kept it inactive for hours (like GMail, until we click logout it will be there). Please assist me in resolving this inactivity session out issue. It should not loose any sessions and operations should carry until I click explicitly "LogOut"
Best approach to handle this is,
Save user session on the database and store session token in a COOKIE which will never expire (You have set cookie expiry as never expire)
That saved cookie and session data on database will be removed when user is logout (You have modify logout code to remove those).
As well as, if user clears all saved cookies on the web browser then, that saved session no longer valid and user will have to login again to your system again. That is a obvious thing
FYI: This is the way exactly to enable Remember me feature.
I'm using asp.net mvc 5 together with Identity2, standard login/password authentication, with "remember me" checkbox.
Imagine the scenario:
user logs in (standard auth cookie)
application is redeployed
user needs to relogin again.
Questions:
Is it possible not to relogin after deploy?
Sometimes, after deploy when you refreshes a page, that requires authorized access - it displays correctly, but if you refresh the second time - it redirects to login page.
All these happens when deployed to IIS7, locally on IIS Express everything is ok.
The reason that you have to relogin is because the machine key changes. The machine key encryption is used to encrypt and decrypt the authentication cookie. Since the existing cookie cannot be decrypted the user is deemed unauthorized and needs to login again.
To overcome this you can manually set the machine key in the applications web.config
There is a good online tool by Developer Fusion which can generate these for you. Below is an example of one...
<machineKey
validationKey="B4A19ABE93A27433785DD47D6444E4B59394E220641D339AEE453D701F202140FF2BF519CED40335A0563AFB494A48DDF1A8DA00D462B42813712D21342B28C2"
decryptionKey="2488146C1EA8177EB75422FE6FB6188550EBD0E4B67FCFD33056E50AD9771040"
validation="SHA1" decryption="AES"
/>
Now everytime you redeploy the keys never change.
Hope this helps.
I have an ASP.NET MVC5-application, using Azure AD to let Office365 users from different organizations authenticate.
However, if the web application is idle for about 20 minutes, the user is redirected to the login page at the next click/reload. Problem is that the user won't notice this right away, because they are not redirected due to updates on the page are async JS-based...which is then not saved to the database. But when the page is refreshed, they are then redirected to the login.
How do I avoid that login timeout after idle for 20 minutes? I don't really want them to be logged out at all.
Thanks!
It's because the encryption/decryption key for the authentication cookie is being generated on application startup. When the application gets shut down from being idle, the next startup the application can't decrypt previously issued authentication cookies essentially logging everyone out.
You'll need to set the <machineKey /> element in the web.config of your application. You can use a service online to generate it or IIS has a built in machine key generator if you don't trust the online services.
Notify Server (Web API on IIS) when cookie is Deleted. When user manually clears, browser cookies. How do I notify my website to immediately log-out the user.
Right now, when new request comes-in we redirect to sign-in in absence of cookie.
EDIT:
To present an analogy, azure management portal logs out the user immediately, however here at stack overflow web page remains active until we make next request to SO.
Cookies are used to keep the user information in web browsers so that when another request is sent to server, server knows who the client is (login information etc.). As you have experienced after clearing the cache there is no login information stored in browser and when the next request goes server redirects you to the sign in page. Therefore this is not possible.
This is not related to User manually removing cookies, But from server side you can clear cookies as shown here and here.
This isn't how the internet works. When I clear cookies on my machine, no request is sent anywhere. You can't know this.
We have a JBoss EAP 6.3 cluster with 2 nodes. We also enabled SSO.
The thing is, we got a web application that has the login form, so when the session timeout configured in web.xml expires, it redirects the user to that form. The other web applications deployed, on session timeout are redirecting to that form too.
On one hand we got the session-timeout property in web.xml for every web application, and on the other hand we got the SSO enabled in JBoss.
Is the same session timeout value on all web applications correct ? Should we ignore that value and focus on some SSO global session timeout value? Whats the best practice for configuring the session timeout of every web application in this scenario ?
Thanks guys,
Regards.
The Web session and SSO session are differents things, session is create when you access a web application and this can live without autentication. SSO allows authentication to one resource to implicitly authorize access to other resources.
Then according documentation:
How SSO Works
If a resource is unprotected, a user is not challenged
to authenticate at all. If a user accesses a protected resource, the
user is required to authenticate.
Upon successful authentication, the
roles associated with the user are stored and used for authorization
of all other associated resources.
If the user logs out of an
application, or an application invalidates the session
programmatically, all persisted authorization data is removed, and the
process starts over.
A session timeout does not invalidate the SSO session if other sessions are still valid.
So if you want invalidate sso authtentication across cluster, you may call the method Request.logout(), for example.
SSO Configuration Options:
maxEmptyLife:
Clustered SSO only. The maximum number of seconds an SSO
valve with no active sessions will be usable by a request, before
expiring. A positive value allows proper handling of shutdown of a
node if it is the only one with active sessions attached to the valve.
If maxEmptyLife is set to 0, the valve terminates at the same time as
the local session copies, but backup copies of the sessions, from
clustered applications, are available to other cluster nodes. Allowing
the valve to live beyond the life of its managed sessions gives the
user time to make another request which can then fail over to a
different node, where it activates the backup copy of the session.
Defaults to 1800 seconds (30 minutes).
Se also: Use Single Sign On (SSO) In A Web Application
Another thing is not possible configure a default session-timout value in JBoss 7 (Like jboss 4, 5 and 6) so you'll have to configure this value in each application.
Eg. add in your web.xml:
<session-config>
<session-timeout>20</session-timeout>
</session-config>
I hope this help.