I use MVC(4) with Identity (2.0) and my webapp have a page for admin to manage users.
One functionality of the admins is to inactive(freeze) a user account the way I implemented it:
Add a field in my DB called 'Active' and if the admin is deactivate the user the field value is '0'.
In order not to check for every user in every page of my website is to do it only when the user is trying to log in, so before I let him log in I check this field.
But now I have the problem:
Use-Case example: the admin is deactivate account of user "x" and after 10 min the user "x" enter the site and the site "Remember" him and not ask him to log in so my check will never happens.
if the site is "remember" the user and not asking him to log-in i'm in trouble, i need somehow to sign out the user.
I read about cookies and security stamp and my conclusion is:
I need to change the security stamp of the user in order to prevent the site to "remember" the user and allow him not to log in.
First thing: did i got it right ? change the security stamp of a user and the site wont remember him ?
Second thing: i notice that the security stamp is a guid so i can generate programmatically and insert to the security stamp field of the user, yes ? no ? why ?
If you have a better implementation to the whole thing...ill gladly hear it :)
Thank You
Update: Maybe if i change some field of the user in the database( a field that i'm not using like telephone) it will update the security stamp automatically ?
Update2: Even if i generate manually GUID and put it in the security stamp field(upon the DB) it doesn't force the user to log-out.
I've used javascript to get the logout to happen
<i class="glyphicon glyphicon-log-out"></i> Log off
Even if the User is remembered by the browser, he still needs to be authorized. You can always perform this check on authorization rather than on authentication. That way, even if the user is in the process of browsing the site and the administrator freezes the account, his browsing won't be able to continue, because on the next authorization, he will be logged out and unable to log back in.
Authentication: Who is this person and is he really who he claims to be?
Authorization: Is the logged in person authorized to perform this action or access this resource?
As suggested by James in a comment, I also agree that this can be implemented as a role or a claim. Look into claims with the Asp.Net Identity and I'm sure you'll find the solution much more elegant and flexible.
Related
Is there a way to stop accounts.setAccountInfo from deleting an email if it is the last standing login ID?
Currently if I have 2 verified emails both loginIds and issue 2 requests removing one email at a time (I know I can pass a comma separated list) I end up with an account that can't login anymore as no login Id is left.
Both return 200 ok and no error code.
I've looked for an etag implementation so I can at least force some sort of an optimistic lock but couldn't find support for it.
Any ideas?
This is by design, as in the case a user's email(s) were compromised, there needs to be a way to disable login of the account until the user can have their information updated via a customer service representative. There is no out-of-the-box way for an end-user to use this particular parameter, so, unless a currently logged in user is manually calling the method from the JS console, there is no way for this scenario to accidentally happen.
From the server-side, if you are worried about a specific application from calling this method and require restricting a specific app from accessing this particular API you can assign the application key to a permissions group with restricted permissions. ref:https://developers.gigya.com/display/GD/Console+Administration#ConsoleAdministration-PermissionGroups
If you think this behavior should change, please open a ticket from your Gigya/CDC account dashboard for investigation.
I'm trying to create a new user in MODX REVOLUTION 2.3.0 but for some reason, the user cannot access the manager area. I tried to clear every bit of cache as well as to made sure the password is created by the system (email has been sent) and the user belongs to the Users Group.
Strangely, when looking at the user settings, it says that the user has made some 10 logins, but in reality, he has not.
When I type a wrong password, I get the wrong password error message, when I type a correct password, the input field gets cleared and nothing else happens.
Any idea how to solve this?
Thanks.
It seems that user don't have access to mgr context. Any user needs «frames» permission to get access to the manager.
Try to update user's data and make him a sudoer. It'll help to understand if wrong permissions cause the problem.
Exactly. Like #proxyfabio said, he needs access to the manager. To at least asses if the user login works, give him temporary SUDO rights. If that works, work your way from the ground up.
Make sure an Access Policy Template and Access Policy is created. Make sure the policy contains "frames" and is checked at the Policy Template edit screen. Next, PLEASE, make a separate Role, like "Customer". Go into the Aministrator group (or again, PLEASE, create a Customer group) and head on over to the Users tab. Add the User to the group with the Role Customer - "your level" (I usually use increments of 500 or 1000).
Under Context Access, add the user to the mgr context with the specified role and your Customer policy. Do the same for web if you with to avoid any in depth issues.
Finally, save your settings, flush your permissions, clear your cache and optionally flush your sessions table (you can also delete cookies for the browser you're using). When you've done all that, create an Incognito tab in Chrome or Firefox to avoid issues and try the login again.
I have somewhat the same issue if I try login a duplicate manager user from an android phone, the login count goes up, wrong password gives error and correct password just refresh the login page.
However logging in from a computer works. Initially it didn't...
Here are my steps:
Duplicate manager user
Set new password
Login fails
Click forget login for e-mail
Login successfully (computer) with the new generated password
Change original password to original password!? :D
Login works everywhere except my phone
.Net 4.5.1 / MVC 5.1.2 / Identity 2.0.1
Greetings,
I needed a way for administrators to disable (can't delete) user accounts so I set the LockoutEndDateUTC field to a future date and I already had the LockoutEnabled field set to true for all users. There's another SO thread, here, that talks about the same method. This obviously works but only if the user has to enter a username/password.
Here's the problem... If the user has set the auth cookie with the "Remember Me" functionality prior to being disabled, the lockout is not being checked and all subsequent visits are authenticated and the "lockout" is ultimately overlooked.
Firstly, I believe this to be a bug in Identity and I've already logged an issue on codeplex.
Second, Is there a better way to disable a user in version 2.0?
Thank you!
Locked out users are prevented from logging in, but indeed being locked out does not reject existing cookies, otherwise malicious users could cause the real user's cookie to get rejected otherwise. Of course if you do want this behavior, you can just simply call UpdateSecurityStamp on the user who's locked out in your Login action, this will reject existing cookies the next time they are validated against the database.
I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site
I'm designing a small ASP.NET MVC site for a club. Generally, I want users to be able to stay logged in, but what happens if a user's membership has lapsed? Is there any way to "de-authorize" them so that next time they try to view a page, it redirects them to a page telling them their membership has lapsed?
If the timeout defined for the authentication cookie is hit it will no longer be valid and users will automatically be redirected to the login page. If you want to sign them out automatically under some circumstances you could simply:
FormsAuthentication.SignOut();
Why don't you make the expiration of the authentication cookie, the number of days that you want, or their membership expiration date, whichever is sooner, then you get the benefit of getting handled automatically
When you get the user's information from the cookie, you could add a check to see if their membership has lapsed and redirect them to that page.