Notify Server (Web API on IIS) when cookie is Deleted. When user manually clears, browser cookies. How do I notify my website to immediately log-out the user.
Right now, when new request comes-in we redirect to sign-in in absence of cookie.
EDIT:
To present an analogy, azure management portal logs out the user immediately, however here at stack overflow web page remains active until we make next request to SO.
Cookies are used to keep the user information in web browsers so that when another request is sent to server, server knows who the client is (login information etc.). As you have experienced after clearing the cache there is no login information stored in browser and when the next request goes server redirects you to the sign in page. Therefore this is not possible.
This is not related to User manually removing cookies, But from server side you can clear cookies as shown here and here.
This isn't how the internet works. When I clear cookies on my machine, no request is sent anywhere. You can't know this.
Related
Given an app using Oauth 2.0 Authorization Code Flow via Microsoft's msal.js, I login by providing my credentials. Then I fully clear my browser's state, cache, local/session storage, and refresh the page so that the single page application doesn't know I'm logged in, but I'm still logged in with the Microsoft backend.
When I initiate another login, it is able to do so silently, without re-asking me for my credentials.
Apparently, via a request to https://login.microsoftonline.com/redacted/oauth2/v2.0/token, the Microsoft backend can authenticate me as the same user even though I cleared the js memory and all cache/session/local storage
How does this request get a valid code / code_verifier to send to the Authorization Server in order to get an Access Token back for a user without re-entering credentials?
More details:
The following does require me to re-enter my credentials (as I would expect it to):
a private/incognito tab
closing the browser and reopening it
using a different browser on the same computer
The following does not require me to re-enter my credentials and can log on silently:
authenticating in a new tab with cleared local state
authenticating in a new window of the same browser with cleared local state
refreshing the tab and clearing local state
I would expect the 3 "not" scenarios to require credentials, but they do not. How can I be authenticated without the browser keeping any local state?
The Microsoft library was storing a cookie owned by AAD, not my app.
answer on github
Does ORY Hydra currently have a feature that verifies if a client is logged in via OpenID Connect? I notice there is an API to logout via front-channel
When a user revisits the identity provider, however, I have no way of knowing if they are currently logged in or not. They could delete their client-side HTTP cookies and then I am out of sync with Hydra. Meaning: Hydra has them as logged in, but I have them now as logged out. Also, in the event of a back-channel logout, I want to be able to query for this state.
Is there an API I am overlooking that allows me to know whether a client currently has an active OpenID Connect login via Hydra?
It appears as of right now the only thing one can do is redirect the user to the authorization endpoint since we have no way of knowing if they are authorized or not.
The following two tables that ship with Hydra seem to be the source of truth for the data I am after: hydra_oauth2_access and hydra_oauth2_authentication_session. Does it ever make sense to query those directly if there is no supported HTTP API out of the box to see if a user has an active authentication session?
Sending an authentication request via a redirect to the Provider including prompt=none addresses this use case: it will silently login and return new tokens if there's an ongoing SSO session at the Provider, it will return an error code login_required if not.
Notice there will never be explicit user interaction in both cases so this is convenient (and meant) to run in an hidden iframe.
LOGGED IN STATE
An OAuth client is most commonly a UI application with multiple users. Each user's logged in state is represented by an Authorization Server session cookie that neither the application or user have access to:
The Authorization Server (AS) issues an SSO cookie, to be stored in the system browser for the AS domain
Both Web UIs and Native UIs send it implicitly on subsequent requests, when they invoke the system browser
AUTHORIZATION REDIRECTS
When an OAuth UI redirects the user, it is generally unknown whether:
The user will be prompted to login
The user will be signed in silently (eg the user could have signed in to another app)
For a Web UI it is possible to send an authorization redirect on a hidden iframe with a prompt=none parameter. If the user needs to sign in a login_required error code will be returned. See my Silent Token Renewal Page for further details.
This is not fully reliable however, and has some browser issues in 2020. Also it may be unsuitable if you are using a different type of client.
FEDERATED LOGINS
In some setups the AS redirects further to an Identity Provider (IDP), and the user's login state is further influenced by an IDP session cookie.
There is no way for an app to get hold of the user's IDP login state, since the app only ever interacts with the AS.
IS THERE A USABILITY PROBLEM?
If so, post back and we can discuss further ...
I am working on an a security module for an application, using google's oauth 2.0 access token using what's being suggested in the section "Obtaining OAuth 2.0 access tokens" on this article :https://developers.google.com/identity/protocols/OAuth2WebServer
I am storing the access_token received as part of the step 5 in the article above, "Step 5: Exchange authorization code for refresh and access tokens".
Lets say that the user goes to any google web app in the browser and logs out, I understand that google's session is invalid at that point that's fine and that is the session which the access_token i have stored was generated for, then, lets say that in that moment the user was logged into my app and my app's session expired so the problem is that if my app's session expires and the user goes to my app, my app will try to validate the access token ( i want to maintain my app's session somewhat align with the google session as long as the google session is alive ) but this service https://www.googleapis.com/oauth2/v2/tokeninfo does not intermediately reflect that the access_token i have in my app is invalid, it takes a lot of minutes to reflect that the user has logged out and the access token is not valid.
Please excuse my long explanation and i expect it is clear.
Now my question is, what google rest/service provides a better validation for the access_token?
I think you have a wrong assumption that an access token (and a refresh token) is bound to the session that was used when authenticating the user. I tried to find some info about it, but didn't succeed. There may be multiple sessions - for example in different browsers. If you log out in one browser, the other stays logged in, so there is probably no "global sign out" that would terminate all sessions of the user.
If the tokens were invalidated on the browser session logout, it would make the applications using the tokens fragile. For example mobile or desktop applications that use a browser just for authentication and don't use to keep the browser window open after successful authentication, so they cannot keep the browser session alive. Their tokens would get invalidated with the session expiration.
Google doesn't seem to provide OpenID Connect session management features in their discovery document, so you cannot monitor the session using iframes either (as described in the RFC).
In my application I have used several session variables, but not given any session timeout in web.config. I have used authentication mode as none in web.config.
But after some inactivity time, its logging out and redirecting to login page. It should remain and all operations should carry as it is even though I kept it inactive for hours (like GMail, until we click logout it will be there). Please assist me in resolving this inactivity session out issue. It should not loose any sessions and operations should carry until I click explicitly "LogOut"
Best approach to handle this is,
Save user session on the database and store session token in a COOKIE which will never expire (You have set cookie expiry as never expire)
That saved cookie and session data on database will be removed when user is logout (You have modify logout code to remove those).
As well as, if user clears all saved cookies on the web browser then, that saved session no longer valid and user will have to login again to your system again. That is a obvious thing
FYI: This is the way exactly to enable Remember me feature.
I need some clarity around how cookie-based sessions work. I'm building an app where I authenticate a user and upon successful authentication, I stick a GUID identifying his user into the session, which in turn gets persisted as a cookie. Now when a user logs in, whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person? Another scenario could be if I had physical access to a machine where the person was logged in, I could also steal the contents of the cookie and impersonate as the user.
Whats to prevent someone from sniffing traffic, stealing the contents of the user's cookie and creating a cookie on their own end and login to my site as that person?
SSL - the only way to stop that is to run your web site on HTTPS.
I had physical access to a machine where the person was logged in
Once you have physical access to a machine all your security methods are moot. You can do nothing about this.
I think you have two questions here. In regard to the second you should not be storing a session key in a cookie and have it stick around longer than the session, set the timeout on the cookie to expire quickly and invalidate the session on the server as soon as reasonable and the cookie becomes useless. If you are flowing important information over the wire use https.