For the project I'm working on i need to be able to authenticate visitors based on their IP address under certain conditions.
The way I have been doing it is by comparing the visitor's IP address to a table in my database. If the IP checks out i get the related user from the DB and log it in with limited access.
However I've been doing this using the Session_start() method in global.asax and creating a session variable that specifies if the user is logged in via IP or not. I then restrict certain functions if the user is logged in via IP.
However this hasn't been working well enough, mainly because when the user firsts visits the site i want to let him know that he's been logged in via his IP address, but the session start seems to be fired after the view has been rendered so the message isn't displayed until the visitor refreshes the page or visits a subpage. Just having a session variable also doesn't seem safe enough(though i admit i haven't researched that properly).
I´ve tried to do the checking and auto login in the Application_BeginRequest() method but the authentication manager hasn't been initialized that early in the request so i can't log the user in.
Anyone that can point me in the right direction? What the best way to accomplish this would be?
You can use and extend the AuthorizeAttribute and override OnAuthorization so that you can put your checking there.
Related
I am trying to figure out how can we detect if we are logged in to a site from Firefox Extensions.
I am planning to invoke a rest api in the target site to detect if the user is loggedin or not. I am not sure what is the right place to make such calls.
Going though documentation, seems like main.js is could be the place where I want to put such method, but then I am not sure how to call form my views this particular method in main.js
There is no generic way to determine that a user is logged in to a site. Every site can, and does, choose their own method of doing so. The most common method is to store a session cookie on the user's machine through the browser. However, the specifics are nearly certain to be different at each site. There is also the question of, in your situation, if there is the possibility that the site permits the user to be logged in for an extended period of time (i.e. not just in a session).
The most probable way to successfully determine how the fact that the user is logged in is recorded on the machine is to look at the differences between what cookies are stored (for the site) prior to the user being logged in, while the user is logged in, and after the user is logged out. There are a large number of extensions dealing with cookies. One of them should probably be able to help with letting you look at the information you need to examine for this investigation.
Once you have that information, you can use a variety of different interfaces in Firefox to access the cookies and see if the user is logged in. Obviously, you will want to listen for changes, and/or listen for a page from the site to be loaded (overlay/bootstrapped, SDK) rather than pooling for changes in the cookies.
MDN refs about the cookie interfaces:
Deal with individual cookies:nsICookie, nsICookie2 nsICookieManager, nsICookieManager2
Deals with the entire cookie string: nsICookieService
I am working on bringing WebSockets functionality to my Grails application. I use Atmosphere Meteor plugin 0.7.1 for this purpose.
The workflow is simple:
User logs in the system.
User open page with WebSockets functionality
User clicks a Connect button to establish the connection... and the server doesn't recognize him.
I would like to know which user connected my webSocket.
Usually it's quite easy to detect current user by calling springSecurityService.getPrincipal() in any controller. I managed to inject springSecurityService to my MeteorHandler, however it says that the principal is null. It feels strange for me, as the handler has access to JSESSIONID cookie, so I expect it to retrieve the correct session data.
Also, request.session command returns different HttpSession object, compared to the same command performed in regular controller action.
So is there any way to retrieve current logged in user on webSockets connection?
Thanks in advance.
The Principal object could be easily retrieved from request.userPrincipal.principal
It is exactly the same object as in springSecurityService.getPrincipal()
Find more here: https://github.com/kensiprell/grails-atmosphere-meteor/issues/28#issuecomment-34629462
I have hosted a rails application, an online examination system. The users need to get registered to get access to the system. So each user will be provided with a unique combination of credentials. Let us assume my user-name/password is demo/demo123. I want my app to block another person logging in to the system even if he knows my credentials. Any solution for such scenario.
Thanks for any help :)-
Using Cookie would be a better solution. When the user gets registered create a Cookie value specific to the User and System and in encrypted format (for security reason) and save it in the database corresponding to that user. Check for this Cookie token while logging in. When the user clears the cookie, s(he) can request the Administrator to clear out the DB cookie for creating a new one.
Using IP will not be a better solution since in a network, there can be dynamic IP's allocated to the PC's.
You could record the user's IP address in the database when they first log in, and only allow logging in using the same credentials but from a new IP address after some waiting period of, say, 1 hour, or until the current examination is complete. That should prevent more than one user being logged in to the same user account within a short time period.
The user's IP address can be accessed in a Rails controller using request.remote_ip.
You could use the lock gem to add a password to the entire application.
First, add to your Gemfile.
gem 'lock'
Then
bundle install
Next, create your password
rails g lock:create_password_file yourpasswordhere
Finally, add lock your application controller, or whatever you'd like (see documentation).
ApplicationController < ActionController::Base
lock
end
I have a Rails/Backbone app that implements Devise authentication with JavaScript/Ajax (using backbone). After the user logs in, I assign the userSession response object from devise to the app.currentUser to create a client side currentUser.
app.currentUser = userSession;
However, the way I'm using currentUser, I might as well just give it a boolean value because I don't use any of that userSession information.
Moving on, inside other methods of my app, I check for authorization by seeing if there is a current user like this
if(!app.currentUser) {
this.trigger("pleaseSignIn");
return;
}
else {
....
This works fine when I test it--If the user's not logged he can't continue to certain parts of the app. However, anyone with basic javascript skills would be able to bypass the login by setting app.currentUser = true in the console. I'm not protecting state secrets behind my authorization; it's just intended to encouraging signup etc.
My question is, is there a way to beef this up a little bit without checking if the current user exists on the server side (i.e. devise sets a current user server sideon login).
One (weak) strategy I considered was using totally meaningless names for my variables. I.e. instead of if(!app.currentUser) { I might say if(!app.godNotDead) so that someone would at least have to get past nonsense to hack my porous authentication wall. However, I'm still hoping for something a little more robust.
Maybe I should explain a little more how the app works. It does not have an authentication wall at the beginning. Rather, users can play with certain parts of the app, it's only when they try to click on other portions of the app that they're asked to login.
FYI, in the normal devise set up, authorization is checked in the Rails controllers on the server and can't be bypassed this way.
the best way would be get the state from rails and not client-side
UserModel.fetch()
// returns a user model if there is one, if not then you are obviously not authenticated
or, i think better, use a token as a param on your requests to the server
?token={some hash the server gave you}
so that its not just a boolean, you need a token
We are attempting to integrate an ASP.NET MVC site with our client's SSO system using PingFederate. I would like to use the built in FormsAuthentication framework to do this. The way I've gone about it so far is:
Set up my Web.config so that my FormsAuthentication LoginURL goes to my site's "BeginAuthentication" action on a "Security" controller. From this action, I set up some session variables (what URL was being accessed, for example, since Ping won't send this info back to me), and then redirect to our client's login page on an external site (www.client.com/Login for example).
From here, the authentication takes place and a cookie is generated on the same domain as the one that our application is running on which contains the unique identifier of the authenticated user, I've set it up so that once this happens, the Ping server will redirect to my "EndAuthentication" action on my "Security" controller.
In this action, I call my membership class's "ValidateUser" method which takes this unique identifier from the cookie and loads in the user on our application that this ID refers to. I save that logged in user in our Session (Session["LoggedInAs"], for example) and expire the cookie that contains the id of the authenticated user that the SSO system provided for me.
All of this works well. The issue I'm wondering about is what happens after our user has already authenticated and manually goes back to our client's login page (www.client.com/login) and logs in as another user. If they do that, then the flow from #2 above to number 3 happens as normal - but since there already exists an authenticated user on our site, it seems as though the FormsAuthentication system doesn't bother kicking off anything so I don't get a chance to check for the cookie I'm looking for to login as this new user. What I'd like to do is, somewhere in my Global.asax file (probably FormsAuthenticate_OnAuthenticate), check to see if the cookie that the SSO system sends to me exists, and if so, sign out of the application using FormsAuthentication.SignOut().
Another issue that seems to be related is that if I let my Session expire, the FormsAuthentication still seems to think I am authenticated and it lets me access a page even though no currently logged in user exists in my Session, so the page doesn't render correctly. Should I tap into the Session_End event and do FormsAuthentication.SignOut() here as well?
Basically, I want to know when the authentication ticket created by
System.Web.Security.FormsAuthentication.SetAuthCookie(..) gets checked in the flow of a request so that I can determine whether I need to SignOut() and force revalidation or not.
Thanks for any help. Sorry for the length of this message, trying to be as detailed as possible.
Mustafa
Welcome to the small section of Hades that is mixing session with formsauth.
If your needs are as complex as presented, you would get more sleep if you implement a full provider stack to share amongst the participating sites. Easier said than done, I know.
But to address your question:
from http://www.codeproject.com/Articles/39026/Exploring-Web-config-system-web-httpModules.aspx
On the way in....Check ticket and set identity #
app.AuthenticateRequest += System.Web.Security.FormsAuthenticationModule.OnEnter-->OnAuthenticate
On the way out... set the ticket and redirect as necessary
app.EndRequest += System.Web.Security.FormsAuthenticationModule.OnLeave
Reflector is your friend. ;-)
I don't know about a specific event for when the cookie is checked, but you could place the appropriate logic in Application_BeginRequest() and check the user's authentication state there.
Another issue that seems to be related
is that if I let my Session expire,
the FormsAuthentication still seems to
think I am authenticated and it lets
me access a page even though no
currently logged in user exists in my
Session, so the page doesn't render
correctly.
The life of the cookie (how long until ASP.NET feels it needs to ask for a password again) and how you are managing state are unrelated. The ASP.NET authentication is cookie based so that, should a developer want to, he could turn off viewstate, session, use no query strings or hidden fields and authentication still works.
If you want to tie the interval at which you request the password to how you are persisting data, then you will want your session expiration to be roughly the same as the cookie expiration, but they will never quite match up. It would be better to have two policies (one for how fast you throw away a users session data and one for how long you are willing to wait before you need to reask for a password)