i have created a MVC application , without using asp.net membership provider, i want to redirect the user to the login page if the user logged out and press back button from explorer.
Thanks
You can't do this, as the page the user see when clicking 'back' is in fact the cached version of the page.
The best you can do is request the browser to not cache logged in pages, to do this you would place:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
on all pages you consider shouldn't be 'back button' accessible.
This is only a request however, browsers are under no obligation to oblige.
Now i can think in two solutions, you could create a filter for your controller, and control to authentication by Session, Cookies, etc... (what I don't recommend)
Sample of Actions Filters http://www.asp.net/mvc/tutorials/understanding-action-filters-cs
Second one and the best in my opinion, I preffer to do something more simple for Authentication, like Forms Authentication... take a look at this link:
http://weblogs.asp.net/fredriknormen/archive/2008/02/07/asp-net-mvc-framework-using-forms-authentication.aspx
I use this approach in my projects and works fine! Simple and easy!
I don't like very much of Membership provider.
I hope it help you!
PS: sorry for my english!
Related
In Rails, Is it possible to prevent HTTP requests that come from the Browser's address bar ? And only allow navigation through links made within the app ?
I really looking for preventing a user to simply type his destination in the browser and only uses the links provided.
I know It maybe sounds silly. But I'm kind of trying to give a different UX than any regular website.
Is this approach possible? And If yes, How?
And what is the possible disadvantages or deficits that may cause?
For completeness, Yes.
The previous responder is right, this sounds like a bad idea, but it is possible. I imagine it similar to how authentication work. Set a secret value in the session on the first page, ask for it it on the second page the user reaches, if they don't match user didn't use your navigation. Refresh as quickly as needed (every page, for example).
Drawbacks? It's weird, that's not how webpages work. A clicked link (or GET request) is not different than a URL typed in the browser. What do you mean by "different UX than any regular website", the more details we have the easier we can help.
No*.
You can make it harder for a user to guess the correct URL by using obfuscation or use sessions to make the application stateful. But technically a GET request sent by clicking a link or by typing the url in the browser are identical to the server. The former is a form of security by obscurity.
The whole basically violates the core tenants of what a RESTful application does. In REST a resource should be omnipotent - requesting the same resource should provide the same response no matter how the user got there.
If you find that an action should not be able to be performed by typing the address into the browser you are most likely using the HTTP verbs wrong (using GET where you should be using POST, PUT or DELETE) or have a poor authorization system.
I have a Grails based web app which uses Spring Security to handle user logins etc. I have hit a bit of a block and am hoping the more experienced might be able to point me in the right direction for a solution.
The application has the concept of messages which can be sent from user to user to provide a instant messaging feature. There is a timed Ajax call that is present throughout the system which is used to alert the user of any new incoming messages.
My problem is that since I have implemented this, each time the ajax call is performed, of course the users session is being refreshed, therefore never timesout. So a manual 'log out' is the only way they can log out, whereas before expiry of a session would redirect them to the login page.
Does anyone know how I can still accomplish automatic logouts whilst still have the timer functioning?
I'm hoping I can set up some kind of filter with spring security, or perhaps there's an annotation I can use on the periodically called method to instruct it NOT to refresh the users session.
As always any help & comments are appreciated.
Thanks to Long for pointing me in a different direction with his comment, I believe I have now a much better, more intuitive user friendly solution.
Rather than trying to change things on the backend, I am using a little jQuery script which is very easily configured and fits in perfect with my app which already uses jQuery and the jQuery UI.
After a specific period, a jQuery dialog pops up, modally dimming the background and informs the user due to inactivity they will soon be logged out. A progress bar is displayed which reduces until it is empty at which point if the user hasn't click my 'Continue Working' button, then I change the window location to the spring security logout controller URL, taking them back to the sign in page. It works beautifully and is very easy to configure.
The instructions can be found here : http://kenbrowning.blogspot.co.uk/2010/04/are-you-still-there.html
Kudos to Ken Browning for his library.
I thought this should be pretty well documented, because it seems like a pretty common scenario. Unfortunately, I find a lot of conflicting information out there and no real consensus on the correct way to go about this in an MVC 3 compatible, unobtrusive Ajax sort of way. I can certainly hack together something that "works", but i'd rather do it the way it's supposed to be done via the framework.
Here's what I need. I have Login link in the upper right corner of the site. The site allows both authenticated and unauthenticated users. So, I want to have a dynamic ajax popup when the user clicks the Login link.
This should go out to the controller, and pull back the HTML for the login dialog. It should then be displayed in a jquery ui popup dialog, and when the users enters their information it should redirect them to the "Dashboard" page (regardless of what page they are currently on). If they enter the wrong credentials, it should stay on the current page with the popup dialog still open and display validation errors ("username or password incorrect").
In other words, it has to tie into mvc 3 unobtrusive validation and use unobtrusive ajax, and display things in a jquery ui dialog.
This seems to be less trivial than I thought it would be. Any pointers to an example that does this? Anyone have a sample they can share?
UPDATE:
The conventional wisdom is, if you need to redirect, don't make it Ajax. However, in this case Ajax is required because I need to validate the creditials and post validation errors without causing a page refresh, or a redirect to a different login page. I need for the authentication to go through and post the errors in the popup dialog.
Seems like what you are looking for: http://evolpin.wordpress.com/2011/04/26/asp-net-mvc-partial-view-and-ajax-real-world-example/
Take a look at the MVC 4 Developer Preview. They have implemented the logon and registration process as popup dialogs in the skeleton app that is generated when you create a new app. There are a lot of other cool features worth checking out in this preview. Here is what the popup looks like for logon. It uses JQuery UI.
The point about MVC 4 login preview is that it can be used in two modes. As a Ajax/jQuery popup or standard form.
It does have a bug. It doesn't handle cancelation properly.
Currently working on an ASP.NET MVC 3.0 application and using FormsAuthentication.
When the user clicks the Logoff link, it calls the following:
public ActionResult LogOff()
{
FormsAuthentication.SignOut();
return RedirectToAction("Index", "Home");
}
Works great!
But if the user clicks the BACK button, he gets to see his previous page (although he won’t be able to do anything since the [Authorize] attribute is set) and we didn’t want that.
After many searches and posts regarding this subject, I ended up creating a custom ActionFilter called [NoCache] which is placed right underneath each [Authorize] attribute I have.
The [NoCache] attribute looks like this:
public class NoCacheAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
HttpContext.Current.Response.Cache.SetValidUntilExpires(false);
HttpContext.Current.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
}
}
It seems to work but I’m curious to know if this seems like the appropriate approach to use (or not). Are there any known issues I’m not aware of in using this technique?
In addition, I’ve been told that if I had an SSL Certificate then I wouldn’t need to do this but instead, create and set an HTTP Header with Cache-Control: no-cache which would, ultimately, make all my https pages not cached.
Can anyone confirm this?
If the above is true, then why would I create a custom ActionFilter?
Feel free to share any thoughts or better approaches…
Keep in mind, the ultimate goal is to make sure a user does not see his previous page(s) when clicking the BACK button after he’s been signed off (FormsAuthentication.SignOut();)
Thanks
Would using RedirectToActionPermanent("Index", "Home") work for you? I think it will prevent them returning to the immediately previous page (maybe not all).
Scott Hanselman recommended changing the application design to a Post/Redirect/Get PRG Model when a similar question was asked here.
UPDATE:
A third option is to generate a unique token for every page and invalidate the previous token upon every request. Here is an answer to a similar question that even mentions a bank using that methodology.
Conclusion:
I’ve decided to close this post with the following conclusion…
The PRG Model suggestion (and link) provided by Shawn is great and indeed should be practiced while developing MVC applications.
The pattern makes sure users who hit refresh (F5) are not re-submitting the form/data again. So it is a question of making proper redirect after a form submission.
As for my issue, I wanted to show the login page to the users that did try and hit the back button only after they’ve signed off (After FormsAuthentication.SignOut).
The behavior I am looking for is the same as when you logoff a banking web site. You are free to hit the back button but they will display a message letting you know that your session has expired (which in turn, you are forced to login again.)
I haven’t found (or worked on) a solution yet but the custom NoCache Attribute seems to be the way to go.
Once in production, I will have an SSL certificate applied to the protected pages and perhaps, when we get there, I might find a different way to achieve my task without the use of the NoCache Attribute.
When and if I do, I will share my findings.
Thanks
I'm wondering how to go about using Authlogic to auto register a user who chooses to use open id. Right now they have to register first before being able to login in, even if they choose open id, but I'd prefer if they could just login directly provided I get all the necessary details from the open id provider. But I'm not sure how to go about doing this?
Would I do it inside my user session controller or is there some fancy way to extend authlogic inside the model?
If someone could point me in the right the direction, i'd be grateful.
Here's an example of what I have now with the two pages:
http://morning-warrior-55.heroku.com/
Thanks,
Gaizka's version seems to work beautifully for me.
http://github.com/gaizka/authlogic_openid
Thanks, here's the example of it working:
http://big-glow-mama.heroku.com/
http://github.com/holden/authlogic_openid_selector_example/tree/with-facebook/
You have to use auto_register method in your UserSession model. Although i did try to solve the very same question. I succeeded with first time login/registration only.
Second time when user tries to login, the system tries to register it again.