Please suggest me solution to go logout page on inactivity just like bank pages will do.
After session timeout, app has to display login page to login to the application. I am using Spring acegi security. Your help is greatly appreciated.
Thank you for your time.
One possibility is, you could place a javascript (or Meta refresh) in your web page, which makes a request to the server after the timeout period. This will automagically redirect to the login page.
you have to just put this in your jsp page "head" tag
<meta http-equiv="refresh" content="${pageContext.session.maxInactiveInterval};url=login">
In above url you have to set your login controller path.
After session expired your page will be redirected to the url specified by you.
Related
I have a node application and users need to login. We don't want to refresh the page after logging them in. The problem is we cannot add their sockets by their user id if not refreshed. I'm thinking if there are some alternatives for this, rather than refreshing the page.
I found out that socket id is saved in cookies. I just get it from the cookies after login then saved it to usersSocketList. This solved my problem.
I have page where are secured by session. In case session does exists, then navigate to login page. This works fine.
Now, Let's say I am at some page like abc.aspx. Session does not exists. System navigates to th login page. So, once login, can i navigate the user to the page which was originally requested ?
Usually it is performed by adding the requested URL as a query parameter to Login page URL http://fakehost/Login?retUrl=originalpage
so app code can redirect it back. Forms authentication mechanism does it for you.
yes you can however it would be recommended to add a ReturnUrl querystring which contains the page they came from or need to go to after they logged in. you can also use Request.UrlReferrer I believe which gives you the page they came from but means if for example they came from google to your site to login and you redirect, it would go back to google.
I am trying to reduce the number of redirects at my website login page in order for the page to load faster. My final task is deciding if it's possible to remove the redirect for the login page and still keep the site secure.
Should I make a landing page with a link to a secure login page, thus reducing the number of redirects?
Allow the login page to run under HTTP?
This will obviously be introducing a big security risk to a page where users enter their login credentials, which is generally a pretty bad idea. I would suggest no, but it depends what information the site will provide once logged in. If there's no accounting, no personal data, etc. then maybe it's okay, but i still wouldn't do it.
Edit: Updated due to question change
As stated, a static landing page with a link to the secure login page is a good solution here. It would be advisable to keep the http-to-https redirect on the login page though, as some users may try to type the address manually from memory, be using anold bookmark, or using a cached link from a search engine. Alternatively, the http login page could redirect to a different landing page, alerting the user about the insecure page they have navigated to, and also serving the https login link.
A 'landing page' in http is the optimal way to remove the http to https redirect on a login page. The user can click a link to get to the secure https login page, therefore the login page is only available under https.
If a user wishes to have a url directly to the login page to make access faster, they can bookmark this after clicking 'login'.
I'm developing a mobile application using MVC 4. And I'm securing it. The application has 2 pages ("home" and "Clientes")
When the application starts it asks me for a username and password, with this being its URL http://localhost:59170/Account/Login?ReturnUrl=%2f.
I login and go to the home page. This is the url I can see on IE http://localhost:59170/Account/Login?ReturnUrl=%2f.
From this page I go to the Clientes page. This is the url that I can see on IE http://localhost:59170/Account/Login?ReturnUrl=%2f#/Clientes. At the moment all works ok (Though url like something stranger).
The problem occurs when I press the back button on IE. It must go to the home page but I go to http://localhost:59170/Account/Login?ReturnUrl=%2f#/Account/Login?ReturnUrl=%2f where it asks me to login.
What might cause this behaviour and how do I solve it?
Each time you request a page that requires authentication, .NET will redirect you to your designated login page and append the requested URL to the URL. That way, once the user has logged in successfully it will redirect them to the page they requested automatically. In your first URL for example the return URL encoded representation of / i.e. the root/ homepage of your site
It will keep redirecting you until you have authenticated. If you don't want to have authentication on your homepage then just annotate your account controller with [Authorize] and not your home controller
I a using below code for Single Sign out,
http://netpl.blogspot.com/2010/12/wif-ws-federation-and-single-sign-out.html
Problem which i am facing is, it printing the RP's name on the Default.aspx page of my STS Application, I want as soon as User Click on Sign out user should redirect to Some Common Page, Which would be Home Page of Some RP, But when i do Response.Redirect on default.aspx of STS after completing Signout Process, it it did not perform Single Signout process,
Can any one help in this issue,
A sign-out is done the following way:
Click "Sign out" on a RP's page.
Show sign out page of STS with image "links" to all currently signed in RP's.
The browser requests the images of every RP. This request includes the parameter wa=wsignoutcleanup1.0 which does a sign out on the RP.
Step 3 only works if the sign out page of the STS is displayed in the browser. By calling Response.Redirect you prevent this. A possible solution could be to redirect the user after e.g. a second to the target page. This can be done through javascript or a meta tag:
<meta http-equiv="refresh" content="1; url=http://example.com/" />