I have a web application where I use spring security. I have a problem logging out because my application remembers the last page after logging out. What I want is once the user logs out should not be able go back.
My application-config snippet :
<security:logout logout-url="/logout.do"
invalidate-session="true"
logout-success-url="/logoutSuccess.do" />
Try this:
HttpServletRequest.getSession(false).invalidate();
The standard logout filter will invalidate the current HTTPSession, if your user has a cached version of one of your protected pages there isn't much you can do about that however even if they return to that page they will not be able to use it to make any further requests to your application until they obtain another valid session.
Related
In ASP.NET MVC in one of the WCF services I place an object into the HttpContext.Current.Session object.
When the session times out and the session is cleared of all objects I want to log the user off but have been unable to find a way.
In Global.asax
when the Session_end method is called the Response object and HttpContext.Current are both null.
Any ideas how to log the user off is appreciated.
When the session times out the user no longer exists in any case. If what you are trying to do is clean up open browser windows you would need to implement a timer based on time remaining before session expiration.
SignIn and signout have to do with adding or deleting cookies or tokens to authenticate with an external service. The call that you see should be in the login controller and should not be moved to the global.asax.
No additional action is required.
I think it is wrong practice to try to keep session and authentication cookie in sync. Session and cookie are different things. You can login with multiple users during the same session period. You start a new session when you open some url and it ends when you close the window or it expires on the server side. For more information about session - authentication cookie relationship please read the following answer: asp.net cookies, authentication and session timeouts
Anyway if you want to do it you can use one small trick. You have to periodically call your server with ajax call for example call YourWebsite.com/chcecksession page each n seconds. There you have to check for the existence of a session variable. If it does not exists anymore then simply call FormsAuthentication.SignOut(), refresh your page and the user will be logged out.
I'm not sure about your implantation of WCF as I'm not that versed in WCF. I'm currently building a large scholarship application and we want to restrict logins to a single login per user. I have a table setup to track the userID and a GUID that I store in their Auth Cookie. You could use a session ID instead. I'll be caching the table and refreshing the cache each time I add or remove an entry. I'm using SignalR (you can get as a NuGet package) to maintain connections with each of our clients. When they close their browser SignalR can immediately report that the user is gone and I can terminate their record from the session tracking table. In your case, you could kill the session. Additionally if a user tries to login again, I can see they are already logged in. I then kill their original session and allow them to log in new.
It took a few hours to get used to using SignalR and I highly recommend the videos on Plural Sight.
Set both timeouts in following configuration to exact number of minutes. Make sure you set slidingExpiration to true, that is same as authentication will continue to extend to 30 minutes after each request, as session continues to extend after each request.
<authentication mode="Forms">
<forms loginUrl="~/Auth/SignOn.aspx" timeout="30" slidingExpiration="true" />
</authentication>
<sessionState timeout="30" />
We have some shopping cart pages which work with both guest and user paths. We want to allow a user to login at any time during the process but don't really want to create yet another login page. I'd prefer that we can simply redirect the user to the existing login and tell Spring Security what URL to come back to.
I know this happens automatically when sessions timeout and/or protected pages are requested without a session, but is there a way I can give the URL to Spring Security myself?
If you just need a simple return-to URL to retrieve the cart, then you are probably best to implement that yourself in an AuthenticationSuccessHandler. You can look at the source for SimpleUrlAuthenticationSuccessHandler and its parent for inspiration.
The default login mechanism uses the RequestCache and a SavedRequest, but that is intended to actually replay a request which would not otherwise be authorised. That's probably overkill in your case.
I use chrome as debugging browser.
When I start my MVC (Razor) website, click the stop button and the website keeps running in chrome ,while I can make changes in VS ... perfect.
But sometimes (due to I don't know what changes), when I refresh a page, I'm still logged in, but I looses all my session vars.
How can I catch if session vars is cleared, so I can take my users back to login page? (I need a kinde global.asax page_request method.
I do have the .. <forms loginUrl="~/Account/LogOn" timeout="2880" /> ... but Im not logged out - only session vars are cleared.
It's because your login state is persisted in a client cookie. The session state is persisted on the server in memory (or whatever). When your app restarts the session is cleared but the user still has a valid forms authentication token (assuming forms authentication here) on their machine. Forms authentication does't use session in any way by default.
So, at the beginning of the request, you can either reload the user session from the database when it's null (I think this is the preferred approach if possible) or redirect the user to the login screen with a message saying "ooops, sorry we've lost your session" (which is not good!)
If you use the built-in Authorization functionality, you can just add the [Authorize] attribute. There's some info on using custom authentication here:
ASP.NET MVC Authorization
Lee Gunn explained it well. One solution would be to create a custom filter attribute similar to Authorize that verifies the session has the values you're expecting and decorate the appropriate controllers/actions.
I am newbie in Spring Security 3, and I am having the next problem.
Using the spring-security Namespace, I try to configure a single basic authentication, in wich I want only to filter the POST method.
From my servlet.xml configuration:
<security:http auto-config='true'>
<security:http-basic></security:http-basic>
<security:intercept-url method="POST" pattern="/**" access="ROLE_USER" />
</security:http>
Well, the thing is that, after starting the server, it works fine the first time (that is, the other methods doesn't prompt any authentication screen). But after a first use of the POST method, it prompt the authentication screen for all the method. Does anyone knows what am I missing?
Thanks in advance for your time! ;-)
Ok, auto-answer! xD
I was using to try it a Firefox plugin called Rest Client (I really recommend it ;-) ). My failure was, after the first login tryial with the POST method, that it saved in cache that it has prompted an HTTP-BASIC authentication. After cleaning my history, it works fine.
After that, I have learned:
-Think always in the cache when you use a browser
-Give more information about your environment when you ask something in Stackoverflow xD
Thanks everyone!!
I have a problem with my j2ee application using spring security. I set max-sessions in concurrent-session-control to 1. Now it works fine when I try to Login the second time it will stop me. But when I logout the other one and try to login again I still get this same message.
Your login attempt was not successful, try again.
Reason: Maximum sessions of 1 for this principal exceeded
I have this in my http security
<security:logout logout-url="/logout.do"
invalidate-session="true" logout-success-url="/logoutSuccess.do" />
<security:concurrent-session-control
max-sessions="1" exception-if-maximum-exceeded="true" expired-url="/loginform.do" />
It's been quite a while since you posted this, but if anyone else is having this problem I believe this behavior will occur if you don't add org.springframework.security.web.session.HttpSessionEventPublisher as a listener in your web.xml.
See here:
Adding the listener to web.xml causes an ApplicationEvent to be published to the Spring ApplicationContext every time a HttpSession commences or terminates. This is critical, as it allows the SessionRegistryImpl to be notified when a session ends. Without it, a user will never be able to log back in again once they have exceeded their session allowance, even if they log out of another session or it times out.
please check that the error page is not cached (press F5) and look in the logs to see if the logout is working fine.
Make sure your Spring Security Filters run before your Struts Filter.
Set a break point at Spring Security's LogoutFilter.doFilterHttp method. Make sure that part runs properly.