When are registered LogoutHandlers in Spring Security triggered? Only upon manual logout (obvious!) or also when the http session expires?
Not when the session expires.
Example: RememebrMeServices
See the class AbstractRememberMeServices, which also implements LogoutHandler. We use remember me services to keep user logged in until a user explicitly logs out (or until the remember-me cookie expires). Its main purpose is to take care of session expiration issue and it is usually added for users who frequently use the application (for example, administrators or customer service representatives who don't like to login every time their session expires).
Related
I want to know which user is logged in currently into the ADFS.
I am using Claims Provider for ADFS and through that, I am logging into ADFS. Now I want to see in ADFS that this particular user is currently logged in. Basically I want to see the user details of logged in user in ADFS
There is no as such session monitoring console on ADFS, instead there are events generated for every successfull authentication that contains claims.
Also, if you want to check the entire header based interaction, please enable security logs.
Also, enabling security logs is not recommended for production environment as it creates enormously large count of events for every authentication request ADFS receives.
In my application I have used several session variables, but not given any session timeout in web.config. I have used authentication mode as none in web.config.
But after some inactivity time, its logging out and redirecting to login page. It should remain and all operations should carry as it is even though I kept it inactive for hours (like GMail, until we click logout it will be there). Please assist me in resolving this inactivity session out issue. It should not loose any sessions and operations should carry until I click explicitly "LogOut"
Best approach to handle this is,
Save user session on the database and store session token in a COOKIE which will never expire (You have set cookie expiry as never expire)
That saved cookie and session data on database will be removed when user is logout (You have modify logout code to remove those).
As well as, if user clears all saved cookies on the web browser then, that saved session no longer valid and user will have to login again to your system again. That is a obvious thing
FYI: This is the way exactly to enable Remember me feature.
I have a Spring MVC web application, there are no secure areas so all users can see all pages however i do have a Facebook log, using spring social, in and i do identify each user by session id. the scenario is that a user can see pages as a guest where the application identify him (or her) by the session id, when the user log in with his (or hers) Facebook account, a record is save for the user with the corresponding Facebook data.
the next time the user visit the application i want to be able to identify him.
i thought about using spring security remember me feature (and an infrastructure for maybe future use).
so my question is, is spring security the right solution for me? and if so is it possible to set authentication by session id?
Spring security is good for authenticating users. If you were just to authenticate by session id, there is the possibility that bogus users could access user info by spoofing their session data.
How do I detect in devise when the user's access tokens are stale and thus logging the user out?
Why do you need this? There is timeoutable option exist that allows to track session timeout. I might be wrong, but tokens are cookies keys that have time to live and they are tracked by browser. From Devise (hooks):
Each time a record is set we check whether its session has already timed out
or not, based on last request time. If so, the record is logged out and
redirected to the sign in page. Also, each time the request comes and the
record is set, we set the last request time inside it's scoped session to
verify timeout in the following request.
---- UPDATE (to not put in commets as its large)---
In the most cases, when you use is logged in, there is no requirements to get authentication from external servises. So in the cases when user is logged in (i.e. session cookie present and session is valid), and in the same time she logs out from external servise that means that she can use your site until your session is expires. Again, the external service is used once user requires authentication. So when session is expired on your site and user trying to log in using external service she will be redirected to external site where she will log in (or not if already). Then external service redirects back to your site provided callback (in the most cases path is /auth/:provider/callback) where your controller (or default provided by devise) will create if required an user and a session for him.
I am reading a great Rails tutorial and came across a passage that I had a question about:
Box 9.2.Sessions and cookies Because
HTTP is a stateless protocol, web
applications requiring user signin
must implement a way to track each
user’s progress from page to page. One
technique for maintaining the user
signin status is to use a traditional
Rails session (via the special session
function) to store a remember token
equal to the user’s id:
session[:remember_token] = user.id
This session object makes the user id
available from page to page by storing
it in a cookie that expires upon
browser close. On each page, the
application can simply call
User.find_by_id(session[:remember_token])
to retrieve the user. Because of the
way Rails handles sessions, this
process is secure; if a malicious user
tries to spoof the user id, Rails will
detect a mismatch based on a special
session id generated for each session.
For our application’s design choice,
which involves persistent
sessions—that is, signin status that
lasts even after browser close—storing
the user id is a security hole. As
soon as we break the tie between the
special session id and the stored user
id, a malicious user could sign in as
that user with a remember_token equal
to the user’s id. To fix this flaw, we
generate a unique, secure remember
token for each user based on the
user’s salt and id. Moreover, a
permanent remember token would also
represent a security hole—by
inspecting the browser cookies, a
malicious user could find the token
and then use it to sign in from any
other computer, any time. We solve
this by adding a timestamp to the
token, and reset the token every time
the user signs into the application.
This results in a persistent session
essentially impervious to attack.
I don't understand what this is saying. I take from it that a unique session ID is created and stored on the client in a cookie. Then when that cookie is sent to the server on a request, the server knows that is the user in question so that the login can be persisted. However, if a malicious user stole the cookie, I don't understand why they can't log in from another computer. The author says this is solved by adding a timestamp, but I don't see how that helps. Further, the author says that the token is reset every time the user signs in, but the whole point is a persistent sign in, so I don't understand. Please help!
You are correct—a "Remember Me" cookie can be used to steal a login. The issue that they're trying to resolve are if someone steals your cookie, containing your unique identifier, and hangs on to it—they'd then be able to log into your account at any point in the future.
The usual solution is to invalidate all previous cookies every time that you log into your account using either the username/password or the "Remember Me" cookie, so that a given cookie will allow you to login a single time. The timestamp is how they're ensuring the uniqueness of each cookie.
If you're worried about cookies being stolen, a typical solution is to also store the IP address that the request came from, and if the IP address that the cookie is coming from doesn't match the IP address that the cookie was created from, deny the login and force the user to sign in. This can be inconvenient to users who are behind dynamic proxies, or who carry their laptop to and from work/home/coffee-shop, since their IP address will change all the time.
"Remember Me" is a security hole by design. The goal is to limit how much of a hole it is, and if you're designing a system that requires absolute security, it's not a good choice. If convenience is more relevant than security, using timestamps and cookie invalidation limits the potential security issues.
If you're interested in more information on this topic, the Security Guide section of Rails Guides has an entire section on sessions.