Admins should be able to log out a user remotely through the admin console.
When a user logs in, a cookie is set with cookies.signed[:user_token]
The cookie is deleted with cookies.delete :user_token when user logs out.
I can only access and delete the the cookie for the current user that is sending the requests to my rails controller. The cookies hash only has the :user_token of the current user and the session_store key.
Is it possible to access the cookies of all logged in users and delete them from one account? I can't find any info on this.
An alternative way of doing this:
Keep track of the log-in state(0 or 1) of every user in the database. Every time a user logs in, the state is set to 1.
Allow admins to change the state to 0 through the admin console.
The client browser requests the login state every minute or so. if the state is 0, send a logout request.
What do you guys think about this way of doing it?
As far as i know, cookies are stored in the user's browser. You can't delete them. You could invalidate them somehow, but per user, it would be difficult.
Storing login state in the database should be the solution you are looking for. So when a user comes in, you do the usual authentication and then check database. If 0 you make them login. That way admins can change that one value. Also you gotta put something in to expire the flag in your session table
Related
I use MVC(4) with Identity (2.0) and my webapp have a page for admin to manage users.
One functionality of the admins is to inactive(freeze) a user account the way I implemented it:
Add a field in my DB called 'Active' and if the admin is deactivate the user the field value is '0'.
In order not to check for every user in every page of my website is to do it only when the user is trying to log in, so before I let him log in I check this field.
But now I have the problem:
Use-Case example: the admin is deactivate account of user "x" and after 10 min the user "x" enter the site and the site "Remember" him and not ask him to log in so my check will never happens.
if the site is "remember" the user and not asking him to log-in i'm in trouble, i need somehow to sign out the user.
I read about cookies and security stamp and my conclusion is:
I need to change the security stamp of the user in order to prevent the site to "remember" the user and allow him not to log in.
First thing: did i got it right ? change the security stamp of a user and the site wont remember him ?
Second thing: i notice that the security stamp is a guid so i can generate programmatically and insert to the security stamp field of the user, yes ? no ? why ?
If you have a better implementation to the whole thing...ill gladly hear it :)
Thank You
Update: Maybe if i change some field of the user in the database( a field that i'm not using like telephone) it will update the security stamp automatically ?
Update2: Even if i generate manually GUID and put it in the security stamp field(upon the DB) it doesn't force the user to log-out.
I've used javascript to get the logout to happen
<i class="glyphicon glyphicon-log-out"></i> Log off
Even if the User is remembered by the browser, he still needs to be authorized. You can always perform this check on authorization rather than on authentication. That way, even if the user is in the process of browsing the site and the administrator freezes the account, his browsing won't be able to continue, because on the next authorization, he will be logged out and unable to log back in.
Authentication: Who is this person and is he really who he claims to be?
Authorization: Is the logged in person authorized to perform this action or access this resource?
As suggested by James in a comment, I also agree that this can be implemented as a role or a claim. Look into claims with the Asp.Net Identity and I'm sure you'll find the solution much more elegant and flexible.
In a ASP.NET MVC application, is it possible to log someone out, if the login credentials is used on another web client?
For e.g.,
1) user login from PC A, with user id admin
2) another user logs in with user id admin from PC B
3) PC A gets signed out
I would look at setting a token on the client cookie. This token can be checked for subsequent calls and if it doesn't match then kick the user off.
So, in terms of a use case...
Create a table - LoggedInUsers that has, say, the UserID, Token
When user logs in on browser A you can check against the LoggedInUsers table to see if they are currently logged in and have a matching token. If they don't exist, then create a token and store it in their cookie and add the entry to the table. If they are in the table and do have a matching token then they are the same browser. If they are in the DB but the token doesn't match then you choose whether you want the new user to have their token overwrite the existing one or prevent logging in.
now ever page call should check the LoggedInUsers table so you can log the user out if they are logged in via another browser.
Hope that makes sense...
I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site
I have a JSF login page using form authentication. I login users by calling HttpServletRequest.login(username, password). Logging out is done by first calling ExternalContext.invalidateSession() and then calling HttpServletRequest.logout() for the current user.
My plan is to keep track of the logged in user in an application scoped list by adding to the list anytime a user logs in and removing from the list when a user logs out.
I have two concerns with this approach:
If a user that was already logged in tries to log in again without first logging out, I want to invalidate the existing session and do some cleanup. How do I access the session for a given logged in user? I could also use this functionality to forcefully logout some users.
If a session expires (e.g. timeout) I want to remove the user from the list of logged in users. How do I listen for a session expiration?
Maintain a Map<User, HttpSession> logins in application scope yourself. During login, check if logins.put(user, session) doesn't return null and then invalidate it.
Let the User implement HttpSessionBindingListener and implement valueUnbound() accordingly so that it does a logins.remove(this). Or, if you don't have control over User, then implement HttpSessionListener#sessionDestroyed() instead to perform the remove.
Unrelated to the concrete problem, calling HttpServletRequest#logout() is unnecessary if you already invalidate the session. The user is tied to the session anyway.
I have given the following command in my environment.rb
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'sessionname'
I want my application to expire to some dynamic value which i get from user.
Once the session time which user gives me lapses, i want to remove all the cookies.
I could expire all cookies other than the one above i.e sessionname
This holds the session id and this is the main cookie i want to expire.
Could some one suggest a solution?
it's not good idea to expire session key as it will disrupt users from working with your application
i'd suggest you to have a separate permanent_session_id in cookies which you generate manually upon login and store with expiration time. then use that cookie to log users in if session does not exist.
such approach will allow users to stay logged in while using application and be logged out automatically if permanent_cookie_id is expired after restarting session.