After I logged into an application in a browser and gave the same URL in another browser, it was showing me again to log into that application.
How does the application know whether which browser I am using since both comes under same IP address?
Does it send the sessions and cookies to browser such that other browser cannot access those cookies?
Session and cookies are per browser, not per IP address.
Related
I am using Laravel, an iframe from domain a.com shows my site at b.com, but in user can't log in to my site and no form can be submitted. It sounds Safari blocks all third party cookies (https://stackoverflow.com/a/63478017/6934036) and old solutions not wording on newer version of safari.
Is there a new way to force safari to store cookies from the site in the iframe?
And if there is no correct way, How can I Force Laravel to authenticate user via local storage instead of cookies?
UPDATE:
Cookies SameSite attributes are None with Secure flag.
Both sites use HTTPS.
it works correctly in chrome and Firefox.
For third-party cookies, you need to specify the SameSite attribute as none.
SameSite=None
Also, many browsers currently require that SameSite=None cookies need also to have the Secure attribute, meaning that they require a secure context to prevent being observed by unauthorized devices.
Apple used to be very strict about security and privacy. So probably this is the reason why your cookies are not working.
Notify Server (Web API on IIS) when cookie is Deleted. When user manually clears, browser cookies. How do I notify my website to immediately log-out the user.
Right now, when new request comes-in we redirect to sign-in in absence of cookie.
EDIT:
To present an analogy, azure management portal logs out the user immediately, however here at stack overflow web page remains active until we make next request to SO.
Cookies are used to keep the user information in web browsers so that when another request is sent to server, server knows who the client is (login information etc.). As you have experienced after clearing the cache there is no login information stored in browser and when the next request goes server redirects you to the sign in page. Therefore this is not possible.
This is not related to User manually removing cookies, But from server side you can clear cookies as shown here and here.
This isn't how the internet works. When I clear cookies on my machine, no request is sent anywhere. You can't know this.
I need some clarity around how cookie-based sessions work. I'm building an app where I authenticate a user and upon successful authentication, I stick a GUID identifying his user into the session, which in turn gets persisted as a cookie. Now when a user logs in, whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person? Another scenario could be if I had physical access to a machine where the person was logged in, I could also steal the contents of the cookie and impersonate as the user.
Whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person?
SSL - the only way to stop that is to run your web site on HTTPS.
I had physical access to a machine where the person was logged in
Once you have physical access to a machine all your security methods are moot. You can do nothing about this.
I think you have two questions here. In regard to the second you should not be storing a session key in a cookie and have it stick around longer than the session, set the timeout on the cookie to expire quickly and invalidate the session on the server as soon as reasonable and the cookie becomes useless. If you are flowing important information over the wire use https.
I have done a lot of research on this issue without any success.
The oauth system used by twitter assumes you have a single application that can store the auth key, my situation is different. I have an application sitting behind a firewall that can get the required tokens, however the callback cannot get through to the application due to firewall rules.
I have tried changing the firewall rules but the people in charge of the servers refuse to do so at any cost, they also refuse to allow the website any write access to the one and only shared point of the application - the database.
The public facing area of the website has no way of giving information back to the internal web admin area, it is a one way transaction:
webadmin -> firewall -> (rw) database (ro) -> firewall -> website -> firewall
I need to authorize webadmin to allow it to post to twitter.
I can get the temp auth key and can redirect to twitter, but the twitter callback with the final authorization key can only get to the public facing website (10 physical servers) which have no way of talking to the webadmin so I can never complete the cycle of oauth.
I have tried saving to files and copy/pasting the auth code across but for some reason it blocks any tweets made if the oauth key is copied in this manner.
I have gone grey and am now bald trying to get this simple change in place,
please help.
As long as the user adding the Twitter account can visit webadmin in a browser and webadmin stores some sort of temporary sessions so to know what user is currently visiting it you don't need to mess with firewalls and nothing from from Twitter or outside of your firewall needs to connect into your network.
The basics of how this works is is as follows: 1) User visits webadmin and has a request token generated. The request token is temporarily storred in a session. 2) The user is redirected to twitter.com with the public half of the request token where they authorize access. 3) The user gets redirected to webadmin which they can get to because they are they user within the firewall. 4) The request token can no be exchanged for an access token to be saved permanently and used to interact with the Twitter API as the user.
Twitter supports xAuth on special request, which doesn't require that kind of callback, and might just work with your firewall. You basically just have to make the case as to why you need to use xAuth instead of OAuth, and then you use a slightly different request structure.
i wonder how do desktop apps without any domain names use oauth? or is it not supposed to be used this way? if so what do i use? say for tumblr they have an authentication api so i will have to put the username and password in the url/query string?
i am thinking of using WPF/Adobe AIR. how does something like tweetdeck work?
I've been puzzled by the same question about lack of domain or app url, but it turns out redirection is not the only possible way to complete OAuth authentication process.
I.e., when webapp requests access it provides callback url: the one user will be redirected to when process is completed. That's how webapp know that everything's done.
But you can't redirect to application on user's machine. Thus, there's another way: upon successful authentication server presents special code to the user. Then user copies this code and provides it to application.
You can see both ways described in specification draft.
Also, here's an example of this authentication flow with twitter.
It looks like it may be possible, see googles docs on the subject:
https://developers.google.com/identity/protocols/oauth2/native-app
For a desktop app where a user needs to authenticate himself, you will usually want to use the Authorization code flow.
The approach goes roughly like this:
setup a temporary webserver that listens on the loopback interface
present the login page to the user (either in an embedded browser control or an external browser), with the URL of your temporary webserver as redirect_url
upon successful login, the user will be redirected to your temporary webserver and you can obtain the access code from the code query parameter
Using the access code, you can obtain a token and start making requests using it
Shutdown the temporary webserver
Please note that you will have to allow localhost as redirect URL in your identity provider, in ordrer for this approach to work.
For further details, please take a look at these sample apps from Google.
You should start by reading about getting started with OAuth. Eventually, even a desktop application will open a browser window to authenticate the user - TweetDeck and other Twitter clients do this, as you've probably noticed.
Tumblr, in your example, doesn't use OAuth but rather basic authentication that is being performed via simple HTTP web requests.
Twitter doesn't want users entering their credentials into your application. So at some point the desktop app will need to open a browser window through which Twitter can authenticate their users and return an access token representing the user. From that point the desktop app can use the access token to represent the user in all subsequent API calls to Twitter.
In a desktop environment you have another way to get the token, the browser open url itself.
the OAuth2 server will redirect the users browser to the Redirect URL with the token as a query parameter, so if you control the browser used, you can read the the token directly from the url that the user was redirected to.
Graphical libraries like GKT+ have integrated options to create mini browsers that the user can use to authenticate, and it automatically return the token to the app, but other options are possible, like reading Firefox url for example.