I have a login page with a remember me checkbox when i actually checkbox and login it works and creates the cookie for me logging in the problem is when I logout it redirects me just fine but for some reason it keeps the rememberMe Cookie active so when I get back into the application from another page it immediately logs me in
What are some things I can look so that I can delete the cookie when i logout.
Try to configure your custom logout page if it differs from '/j_spring_security_logout'.
<http>
<logout logout-success-url="/logout.htm"/>
</http>
Specifying 'logout-success' parameter you say Spring that it have to delete the cookie after request with such address.
NOTE: any code mapped to this link ('/logout.htm') will be never executed 'cause of standard spring filters.
Related
I setup a SPA authentication with Laravel Sanctum, it works fine. I login successful with an user. In Chrome Devtools, Application > Storage > Cookies, I copy and save the values of laravel_session and XSRF-TOKEN to a text file, then logout and delete all cookies and refresh browser, here I logged out.
Then I re-open Devtools, restore the values of laravel_session and XSRF-TOKEN manually, refresh browser, now my status is logged in.
Is this normal? Is this the way that cookie based session authentication work?
Thank you.
I was running into the same issue. My problem was that I called Auth::logout() instead of Auth::guard('web')->logout(); inside my AuthController in Laravel.
By using Auth::guard('web')->logout(); the cookies seem to get revoked by the server and can't be used for authentication any more.
By the way, I found the answer here: https://stackoverflow.com/a/63449251/10095327
I'm using shibboleth authentication in my application, and when user clicks Logout button, he will be directed to the ~/Shibboleth.sso/Logout link, it seems like a success when button clicked, but if I try to login using shibboleth one more time, it will not redirect to the Shibboleth Login page! instead it shows the previously logged on user (that I've logged out).
So session seems to be persistent even after logout!
But if before signing in again, I closed my browser, the user is redirected normally to the Shibboleth Login page.
So it seems like a session state or cookie problem!
I've used the following code to solve it:
if (Request.Cookies["shibsession"] != null)
{
HttpCookie myCookie = new HttpCookie("shibsession");
myCookie.Expires = DateTime.Now.AddDays(-1);
Response.Cookies.Add(myCookie);
}
Response.Redirect("~/Shibboleth.sso/Logout");
But it's not working!
Can any one help?
The URL Shibboleth.sso/Logout hit at Service Provider has no control over the IdP's session, nor could it. It can send SAML logout requests, or issue proprietary redirects.
Best practice: Logout handler should be handled by Identity provider.
Closing browser is only option after doing logout. Logout doesn't work at scale and it never will unless the browser vendors cooperate and just do it themselves. So you
could assume that closing the browser is the only option and that still
requires clearing cookies on latest browsers Chrome or Firefox.
Using Spring Security preauthentication, my web app re-directs to /login_disabled.html upon hitting a InsufficientAuthenticationException.
sample of applicationContext-security-preauth.xml
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.
InsufficientAuthenticationException">
/login_disabled.html
Based on this post, it seems that I should be able to re-direct the user to log in again.
Would I just need to re-direct the user to the webpage responsible for authentication?
It's not really clear for me what's the problem here. The redirection to the login page is automatically done without any further configuration if you have form-login set up. If the user tries to access a secured page without being authenticated, the ExceptionTranslationFilter invokes the AuthenticationEntryPoint to initiate authentication.
Using ExceptionMappingAuthenticationFailureHandler to map InsufficientAuthenticationException to a redirect-url won't work anyway because:
It's not indicating an authentication failre. It indicates the condition that the user is only anonymously authenticated while trying to access a secured resource. (As opposed to an auth failure such as entering bad credentials, or user has disabled status.)
It never even gets thrown. (Only instantiated and passed as a parameter in the above linked code.)
I am using Spring-Security 3.1. Before I added invalid-session-url attribute of session management, it was correctly redirecting to logout page. However, after adding invalid-session-url it is redirecting to session expire page even I click on logout button.
Also, after session-timeout period if I load login page it redirects to session expired page.
I have to check for session-expiry and redirect user to session expired page if session is expired. However, after usage of invalid-session-url tag it redirects me to session expire page even for login and logout scenario.
In some of the posts it is advised not to use invalid-session-url. However, I am unable to understand that then how would I be able to show session expire page after actual session expire.
Any help will be appreciated.
By default, the logout process will first invalidate the session, hence triggering the session management to redirect to the timeout page. By specifying invalidate-session="false" will fix this behavior.
<sec:logout logout-success-url="/logout" invalidate-session="false"
delete-cookies="JSESSIONID" />
The session expiry is limited to detecting an invalid session cookie in a submitted request. If your logout doesn't remove the session cookie, then it will be resubmitted if you access the site again, which will trigger the invalid session URL. This is explained in the reference manual. I would read that and the accompanying footnote. As described there, you need to remove the session cookie, which may or may not work depending on your container.
Try with adding following in your security configuration.
<http>
<logout delete-cookies="JSESSIONID" />
</http>
I am using JSF richfaces 3.3 on websphere server 7.x.
The problem is when
user logged in to the application using a browser window and had kept it open for more than LTPA token time out time then LTPA token expiration exception is occurring. Then page is not redirecting to the "logout" page configured. But it getting redirected to the Login page and after successful login then a weird xml page is displayed.
I understand that this is happening because on LTPA token time out when we try to access a JSF resource, as no authentication details are present page is being redirected to login page.
Then as no proper session is present Faces context is still trying to access previous session JSF tree this exception is occurring.
So Question is: How to handle this scenario of LTPA token time out in JSF richfaces3.3?
P.S.: Page is getting redirected to "logout" page on web session expiration.
Vamshi,
If the LTPA token has expired and you try to access a secured resource it will naturally take you to the login page.
That is the expected behaviour!
After you login again you go back to the page you had requested. Depending on your app, either a new HTTPSession is created or it might not even be created during this.
The application should be built to handle this. One approach could be to redirect the user to the main page of the application stating that required information is not available and that you are redirecting the user (after examining the HTTP Session for required information)
HTH