We have a J2EE application (running on -cough- IE only) that uses JSESSIONID to manage session state between client and server. Some of our customers use a third-party web application (https://mdoffice.sentara.com/) in which the client Javascript onload method calls:
document.execCommand("ClearAuthenticationCache");
This smashes our JSESSIONID cookie in the browser and hence causes the the app server to see subsequent requests from our IE client window as an invalid or timed out session and the user gets kicked out. Our server is OAS/OC4J, but I doubt this it matters: The same basic behavior occurs if I hit the above URL while logged into my online banking.
In trying to research this, I found that most folks are interested in duplicating this behavior in non-IE browsers. I'm interested in how to protect against it. We verified that our session cookies are have domain scoping, but the above command doesn't seem to honor that. We have a lame work-around by which we launch IE with a -noframemerging argument. That's ugly, and also ends up messing with our logic that tries to limit the client to a single login.
I can't find much useful on MSDN, but this article (http://blogs.msdn.com/b/ieinternals/archive/2010/04/05/understanding-browser-session-lifetime.aspx) does make it clear that the above command "...clears session cookies ... for ALL sites running in the current session".
Does anyone know of either:
Obviously preferable: A way to protect our precious session cookies from ClearAuthenticationCache?
Vane hope: A less aggressive alternative to ClearAuthenticationCache that we might tell our customers to communicate to the 3rd party? (Of course, they'd have to do this with any 3rd party that causes this problem. Currently there's just the one.)
Thanks for any help!
Related
I have an application with claims based authentication and recently I have been having an issue where at random I lose authentication. The application usually gets it's Identity, Claims information from System.Security.Claims.ClaimsIdentity and it authorizes fine. For some reason after clicking around different pages I lose authentication and it seems to be looking in System.Security.Claims.WindowsIdentity and it exits with a null exception as there is now no more authorization information. I am also using IdentityServerV3. I apologise for the lack of specific technical data but was wondering if anyone has ever had this issue. There is no specific time that this does this after as I first thought it might be expiring. It happens very randomly. I have included screen grabs:
This was when I was authorized
and this was 10 seconds later
If you need any further infromation let me know and thanks in advance!
I had similar issue where losing authentication randomly, caused by three reasons I can remember,
1) multiple threading - code was executed by a different thread that doesn't have identity context
2) cookie size exceeded browser limit authentication cookie get chunked when pass back to server
3) identity server hosted in multiple instances and identity server configured to store token in memory.
Regarding your case, my gut feel which might be completely red herring, is the 1) which the thread executing your code 10 sec later is under a different identity context , I would suggest try to verify any path of your code can by multiple threading first, at the mean time check the thinktecture log that can be found in output window if you are using default logging provider to see if anything suspicious
Hope it helps
I have an website build in MVC4 .NET. Now I want to tracking the time user had online in my website. Example: User open browser and then login to my website and active on my website about 30 minutes then close the browser. I want to store 30 minutes to database but I don;t know how to implement it. Please help me because I very need to do it now. Thank you so much
Here is a script that track user login/logout times on a website. It's a simple script that It has used on some of the sites. Also with this script you can see how many users are online at your site.
But the problem is when the user close the browser he do not log out. his session goes to expire
one of the other ways is global action filter that intercepts requests to all actions on all controllers, then you can get the time of each action in the database for the current user and page. To save hitting the database too hard, you could cache these values and invalidate them every few minutes, depending on how much traffic you're dealing with.
UPDATE
about Closing the Browser This is not something that's provided for in the normal web http protocol. There's no real way to know for sure when the browser closes; you can only sort of know. You have to throw together an ugly hack to get any level of certainty and even then it's bound to fail in plenty of edge cases or cause nasty side effects.
The normal work-around is to send ajax requests at intervals from the browser to your server to set up a sort of heartbeat. When the heartbeat stops, the browser closed and so you kill the session. But again: this is a horrible hack. In this case, the main problems are that it's easy to get false positives for a failed heartbeat if the server and client to get out of sync or there's a javascript error, and there's a side effect that your session will never expire on it's own.
i got a little odd situation to develop.
The MVC web system my team has to develop (or project is made with rails), will rely on login/password from another site.
The idea is, the user will have a log-in on the third part site, and somewhere relevant, will exist a link to our site. When the user click on that link, we need receive from the site, some data of the user.
We have no control of the third part server, or direct access to their database. Plus, making then make any change to their application/infrastructure is a BIGDEAL so i am searching for a solution with less impact for then. (Of course they will have do change something but will be a political issue, so the less, the better)
From our viem, we need to be sure that the user really come from the third part site (and only from there), and we not have received a fake message from an attacker.
Their site have an valid SSL certificate working. (no idea if my system will have one (it should))
Not sure if its relevant, but we think that their server is an oracle aplication server, who connect to a oracle server in their internal network.
I first thought in using just SSL, but i not sure how to do it (what i have to check, what i have to change?) and if is safe enought.
My second thought is to use PGP keys, and make then sing and cryptography the data before sending to us, and, the link yo our site, would make a post to a control on our server which would verify and de-crypt the data.
Anyone have any tips/pointers/thoughts that could help me?
If both servers are using SSL, and supposing the server give you at least a json or xml interface, should be ok to simply make a secure request (using, for example, rest-client) and evaluating the response in your server.
Most likely you will want to cache user data on login in your server, and if user/password aren't found, look in the other server - this will reduce the load.
An architectural question.
My site needs to allow the user to record video and upload it to the "site". I've been poking around a fair bit and it seems I have to use some kind of media server to achieve this aim. As I'm introducing this secondary server into the system (I seek to embed the flash app residing on this server into the HTML delivered by the site) it occurs to me that this broadens the scope of security a lot. What scares me is attackers trying to embed the flash app themselves or attempting to impersonate clients (or anything else I haven't thought of yet!).
I was therefore wondering how people secure their applications with such an architecture. Sure I can do what is suggested here, a decent band-aid for now but afaik the domain information can technically be falsified by the client.
I could separate out the auth of the site giving me a WebServer, an AuthServer and a MediaServer enabling the MediaServer to separately auth. Getting the user to log into both sites is obviously onerous and passing around the user's login creds and securing all connections sounds ugly and averse to best practice.
As far as I can see my best bet is some kind of temporary token that the auth server creates. So the website kicks the auth server after logging in to generate the token which the site can then pass to the media server (as part of the flash vars) and the MediaServer itself can use to double check against the auth server.
I'm relatively new to Red5, Flash and web security so I was wondering if the following sounds sane, secure and/or necessary. Also if anyone knows of decent tools to use for such an auth system and whether there is something already kicking about in ASP.NET auth for such a purpose.
the solution provided in your link ... you should read my second comment.
The first about virtual hosts is wrong! My comment does actually tell you (at least one) solution to secure your app.
You could for example pass a SESSION_ID in the connect method to Red5. The user would get the SESSION_ID from another webservice call before he invokes the record or playback method.
The SESSION_ID might be even some kind of temporary token, that is only valid for 15 minutes and only usable a single time for exactly that video. How far you implement that is a matter of how secure your mechanism needs to be.
Sebastian
I have a flex app using BlazeDS to talk with a web app using Spring Security. During normal use the user has already logged into the web app before running the flex app, so the browser takes care of passing the JSESSIONID session cookie on the outgoing messages so the web app knows who they're coming from.
However, I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging, which means there's been no previous login and thus no existing session. I put some code in -- just for the purpose of debugging -- to first send a login message. That works, and the JSESSIONID cookie comes with the response, but I don't know how to attach it to the subsequent BlazeDS remoting calls that the app makes.
Is there some sort of channel configuration that does this, or some other method? And if you're going to point me to the BlazeDS/SpringSecurity preauthentication example, I appreciate the thought, but we already have a fairly involved configuration of Spring Security and I don't want to mess with that.
As an aside, I was a bit disconcerted when I tried to follow a suggestion to call login() on the RemoteObject's ChannelSet, only to find that the ChannelSet was null. I don't see how that can be, since the remoting calls work, using -- I can only assume -- the AMF channel defined in the services-config.xml. Anyway, I don't know whether login() works by sending j_username and j_password to /j_spring_security_check anyway, so it might not have been appropriate; and of course I'd still be left with the subject of this query, which is how to use the session once it's been created.
I don't think it'll help to explain anything, but I'll include some code and config snippets...
The login:
<mx:HTTPService id="loginRequest" url="http://fiddler:8080/app/j_spring_security_check" useProxy="false"
method="POST" result="handleLoginResult(event)">
<mx:request xmlns="">
<j_username>username</j_username>
<j_password>password</j_password>
</mx:request>
</mx:HTTPService>
The RemoteObject:
<mx:RemoteObject id="remoteObject" destination="blazebackend">
<mx:method name="getConfigData" result="handleConfigDataResult(event)" fault="handleFault(event)"/>
<mx:method name="addSession" result="handleAddSessionResult(event)" fault="handleFault(event)"/>
</mx:RemoteObject>
A channel:
<channel-definition id="my-amf" class="mx.messaging.channels.AMFChannel">
<endpoint url="/{context.root}/app/amf" class="flex.messaging.endpoints.AMFEndpoint"/>
</channel-definition>
TIA.
I'd like to be able to run the flex app from my IDE (IntelliJ IDEA) for debugging
Using Eclipse you can debug inside Eclipse IDE when deployed on a localhost or remote server by configuring the "Url or path to use" when starting debugging.
JESSIONID means that you're using Java EE authentication, the login method of the ChannelSet can be used for a custom and or Basic authentication (that can be or not a Java EE authentication), I think the best for you is to deploy on a localhost, or eventually remove security when debugging.