I am trying to implement 'remember me' feature in my grails application using spring security core. The idea is to login user directly without asking for username and password if the user has logged in earlier. So, I added these codes in my config.groovy file
grails.plugins.springsecurity.rememberMe.cookieName='sptest_remember_me'
grails.plugins.springsecurity.rememberMe.alwaysRemember=true
grails.plugins.springsecurity.rememberMe.tokenValiditySeconds=5*60
grails.plugins.springsecurity.rememberMe.parameter='_spring_security_remember_me'
grails.plugins.springsecurity.rememberMe.key='sptest_test'
grails.plugins.springsecurity.rememberMe.useSecureCookie=false
grails.plugins.springsecurity.rememberMe.persistent=false
But I am prompted with login screen after the session has expired, I want the application to remember user's login for a month or so. How do I do it ?
Related
I am in the process of adding social media oauth login and registration to an existing site. I've followed the overall process described here:
https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
Currently, if a user wishes to change their account profile (including email address, password, etc.) then they need to supply their existing password. This is to prevent cookie stealing style attacks, or damage caused by people leaving accounts logged in on public machines.
However, if a user has registered using Facebook then a randomised password is set behind the scenes and the user is not aware that a password exists in our system.
This could make the simple process of updating the user profile a confusing and off-putting task. How do we present the password to the user, and how do we explain that it's different to the Facebook password?
I would like to present a Facebook pop-up or interstitial to the user before they change their account details, to force them to re-authenticate using their Facebook password, but I can't immediately see a way of supplying multiple callback URLs, or passing form data.
Is there a feature or workaround that would let me achieve this?
Please let me know if including any code would help, but you can assume that I'm using a standard Rails app running Devise and the Facebook oauth strategy, with code snippets described in the link above.
I'm developing Salesforce iOS application.
From application frequently the user has to modify data which is available on Salesforce.com.
When user tap on edit I'm launching salesforce login screen and prompt to enter username and password all the time.
So I have decided to implement SSO using Salesforce Oauth. I have done everything I'm able to receive a access_token once user authenticate with Salesforce.com.
My question is lets say "If the user want to edit a lead with id as 0097hjy7" , URL to edit this lead will be "https://sales.mysalesforce.com/0097hjy7" when this URL launch on browser it prompt to enter username and password again.
How can I navigate the user to "https://sales.mysalesforce.com/0097hjy7" this URL without asking username and password all the time by using the access_token available with me.
Thanks in advance.
I resolved this issue by adding Salesforce iOS SDK to my project and using some classes like SFOauthCoordinator and SFOauthCredentials. At the end we need to prepare a frontDoorUrlWithReturnUrl which is available on "SFAuthenticationManager" class.
I am using ActiveDirectoryMembershipProvider in my web app. I authenticate users with their domain credentials like so
if (Membership.ValidateUser(m.Username, m.Password))
FormsAuthentication.SetAuthCookie(m.Username, true);
This works well.
But even when the user's password is changed in active directory, the user stays logged in to the web app?
How can I ensure the user does not stay logged in to the web app if their domain password changes, or their account is disabled etc?
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie
I'm not 100% certain, but it sounds like you're unhappy that the user's auth ticket continues to work even though their password changes / account expires.
Once a user has logged in and has a authentication ticket (cookie), the user is not challenged for authentication again until until the ticket expires (set in the web.config file). Here are 2 suggestions for dealing with this problem:
Wait for the auth ticket (cookie) to expire. Upon the next login, the user will
be required to use their new password. Variations of this solution include using session-only cookies so that the user must always login when the browser is closed (recommended for AD authentication).
Write an Http Module that looks for a list of recently updated users and inspects the auth ticket early in the HTTP pipeline. If an auth ticket comes through and matches the list of updated users, you exprire the user's cookie and re-direct them to the login page. Here's a similar question that would help get you started:
How can I force a logout of all users on a web site
I'm using DotNetOpenAuth. I configured my application with Custom form authentication with Gmail OpenID through (DotNetOpenAuth). I can successfully login to my app. But say for eg. i logged out from application and click login (with in 10 to 15 Sec) its not redirecting to gmail login. It generated authentication token by itself without asked from user.(I hope something is cached OpenID)
I used PAPE
request.AddExtension(new PolicyRequest()
{
MaximumAuthenticationAge = TimeSpan.Zero
});
And also tried to configure in web.config.
<openid cacheDiscovery="false">
Is there any workaround for the same.
NOTE : Once i logged out i used to clear ALL Session and call FormAuthentication.SignOut()
With OpenID, you as the relying party cannot force the login policy for the user at their Provider. You can request that the provider relogin the user as you have with the PAPE extension, but the Provider may still ignore that.
The cacheDiscovery setting is irrelevant to pass-through login, so I suggest you remove that entry as it will simply slow down all logins.
I think you're mistaken when you say it's not redirecting to Google. If you look at the logs, or what your browser's URL bar, Google.com should be redirected to, but at that point Google decides the user has a login session and avoids prompting them to login again, and redirects the user immediately back to your site.
I am using Facebook, GMail and many other services and for each such service I have to enter my login and password. But only first time. After this first time the browser remember a login and a password and an authentication occurs automaticaly every time when I open this site.
How can I make this possibile for my site? Now I have to enter a login/pwd every time after I restart the browser.
Search the web for "cookie login". Things like authlogic and devise (since you mention Rails) have this baked (ahem) in. You most likely should not be rolling your own authentication code.
I'd recommend using Devise for authentication generally.
While you can probably code your own authentication features with no issue, Devise makes rolling out these new features a lot faster. For example, it's not difficult to setup these features:
Making 'Remember Me' optional so users can choose whether or not they stay logged on using a permanent cookie.
Automatic login using a token-based url (unique token per user account)
Integration with facebook, twitter, linkedin, etc via Omniauth
Allowing users to reset their passwords
Changing password security rules
etc, etc, etc.
Moreover, since it's very widely used it's very solid and debugged. There are many, many 'eyes on the code'.