Note: This is for a MVC 3 Intranet app. And yes, the two or more users MUST be able to be logged in at the same time.
I have an app that will require two or more people to be logged in to a form at the same computer at the same time. One person will logged in to do work, the other will be logged in to acknowledge/check some of that work.
Is Membership able to handle that? If yes, how?
They can't both be logged in to the same browser at the same time. Personally, I've never seen a web application where two users can be logged in at the same time in the same browser. I'd go with a more traditional workflow.
You'd have to have the first person log in, do the work, and log out. The work that the first user did would go into a queue for the second user. The second user would then log in, pick up the workflow from the queue, acknowledge/check the work, and then log out.
Related
Is there a way to stop accounts.setAccountInfo from deleting an email if it is the last standing login ID?
Currently if I have 2 verified emails both loginIds and issue 2 requests removing one email at a time (I know I can pass a comma separated list) I end up with an account that can't login anymore as no login Id is left.
Both return 200 ok and no error code.
I've looked for an etag implementation so I can at least force some sort of an optimistic lock but couldn't find support for it.
Any ideas?
This is by design, as in the case a user's email(s) were compromised, there needs to be a way to disable login of the account until the user can have their information updated via a customer service representative. There is no out-of-the-box way for an end-user to use this particular parameter, so, unless a currently logged in user is manually calling the method from the JS console, there is no way for this scenario to accidentally happen.
From the server-side, if you are worried about a specific application from calling this method and require restricting a specific app from accessing this particular API you can assign the application key to a permissions group with restricted permissions. ref:https://developers.gigya.com/display/GD/Console+Administration#ConsoleAdministration-PermissionGroups
If you think this behavior should change, please open a ticket from your Gigya/CDC account dashboard for investigation.
Context
I am using Parse.com as my backend for a mobile app. I use Facebook login only for now.
Assuming the user has logged in with Facebook and now has an account created on Parse already.
Question
Every time the user opens the app, should I do a check if his account is still valid by using PFUser.currentUser().become()? Or should I use the cached PFUser.currentUser()?
I have found out that if I delete the user account in the Parse backend, if I don't do a become(), the PFUser.currentUser() is still valid, even if the account does not exist anymore.
What is the best practice?
It's generally better to add a column to the user such as 'disabled', and when the app starts you can refresh the user, check that flag and display a message to the user and logout. That, from a user point of view, is similar to using become (at least as long as you check and notify the user).
So, you should do something if you're going to be removing or disabling users in the background. The main question is wether you fully delete the account or just delete the contents but leave the (empty) user in the system as a record.
I am using the code that gets implemented in a new MVC Project for user to Log into Google,Yahoo, Etc.. I have it all working but what I notice is when I try to log-in with Yahoo, there might be another user (my brother-in-law) logged into Yahoo on my machine, so when I try to log-in, it tries to register him. That is annoying, so I want it to force the user to re-enter their username/password on Yahoo (google, etc). Is that possible? This seems like a security flaw also. If I was in my app and then logged out, but did not log out of Yahoo, Google,etc.. anyone could come along and log in to my app. That hole is so wide and obvious it tells me I am probably doing something wrong, because they would not have designed it that way. I am thinking I need to destroy some cookie or token on my site when the sessions ends or I log out..
I've got a Rails App that uses Facebook for user accounts, and as of this evening, someone in Vietname has decided to (for whatever reason) use a bot to create fake accounts on my site using fake Facebook accounts. I'm getting about 2 new fake accounts / minute.
I've temporarily disabled registration, but I don't want to leave it that way, so I'm not sure what to do.
A couple things to note:
All the accounts use #yahoo.com or #ymail.com addresses
A lot of the accounts are registered by the same IP, but not all of them. It seems like he switches up the IP every 15 minutes or so.
I'm really at a loss, and I want to go to bed, but I can't until I find a solution to this. Help!
Make a capcha in registration form. If you already have a capcha in it then change the capcha generation mechanics. Also I think that your oponent made a script which is automaticly adds new user accounts to you web page, so as a temporary desicion you can change the url of registration handler.
You can use some techniques like limiting access to the application using something like a smart algo to block the IP it is requesting numerous account or limiting the account creation no more than a user from an IP.
And as specified if you know the pattern you can filter the request based on the pattern and deny any access.
Up until last week, when ever I was logged into multiple accounts in Google and I invoked the OAuth2.0 flow I would get to an ugly screen (looked like it had been hit repeatedly with the ugly stick) that was functional. It would display a list of radio buttons with all the accounts I am logged in as, you select the one and continue through the flow.
This week I now get a beautiful screen that is non-functional (does not list accounts and the signin button only adds an additional account to the list of accounts I am signed in as) I should point out that I am logged into 4 different Google accounts at the same time. The OAuth2.0 for my app appears to be working fine as if I start an in-cognito window in Chrome, or start a new session and only have one account logged in, my OAuth flow continues normally.
Is this just me or is everyone hit by it?
We (google) are rolling back the new page and within a few minutes it should return to the previous behavior.
Any chance you could let us know what kinds of accounts those 4 you were logged in to were? SAML? Google Apps? Plain gmail?
We're also experiencing this. Hope someone at Google takes note and gets this fixed soon!
EDIT: To clarify, I've only experienced the problem when logged into both a personal Google account AND a Google apps account. Haven't tested other situations at present.
FYI, we just rolled out the new UI, so you may begin to see the "beautiful screen" that is now functional. :-) Thanks for the bug report.