I have inherited an AngularJS app that uses Spring Security to handle login. I have a different app, and when a user tries to go to a non-authenticated page (i.e. reloading the app after their session has expired) it does the proper thing: it simple puts "login failed" on the login screen, and lets the user log in.
The appI inherited throws up two consecutive dialogs with html say "you failed", followed by an error console, and only when all that's been dismissed does the user get to log in.
How do I make it so none of those things ever show up, and the user's just taken to the login screen?
Related
I've been learning Auth0 for a React / React Native project. With two different apps now, including one from their site, I see the following behavior:
clear browser cache
login
enter password, now logged in
select logout
--> now logged out
select login
am NOT prompted for password again, just logged in without interaction.
It seems the session has been kept alive even though I logged out. I would expect that if I manually log out of an application, I must re-authorize with my password on the next login attempt.
As I said I've seen this twice now, once with my own project and once with the tutorial they provide at https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/ . Doesn't make any sense to me. Am I missing something?
Thanks ~~
This is the Seamless SSO behaviour explained here. This is now enabled by default on all tenants and it "seamlessly" logs the user in without showing any prompts if a session exists for the user in the Authorization server (Auth0 in this case). Previously you would get a prompt that said "Last time you logged in with ..." Clicking it would login you in without requiring a password.
If you are "Logging out" and yet you can log back in again without needing to enter credentials, the most likely explanation is that you are actually not calling the https://YOUR_AUTH0_DOMAIN/v2/logout endpoint which logs out the user by clearing their SSO cookie in Auth0. You can confirm this endpoint is called from Network tab in your browser when you click to logout.
The Auth0 React quickstart by default does not call the logout endpoint, it only removes the tokens from browser storage. To clear the SSO cookie and logout from IdP using Auth0.js you need to call the logout function as well. Refer to the Auth0.js logout function here.
Hope that helps.
We Need to make an angularjs web with a login page where user login.
Then this page get information about logged user from the server to use later.
When user is ok logged an informative message show say something like : 'You are logged susccessfully, do not close'
Same angular web must have other pages a user can load.
For example pages with a lots of lists of information from back-end (but for get this information we can use data from the logged user tab still open).
But if user is not logged or user close the login page (we mean the page with susccessfully logged message) all opened tabs with pages listing information must close or show message of 'sorry, not logged, you closed session'.
We use angular routing for differents pages in an angular app but How can we connect all tabs so get information from a unique page of login and how close all of them if user is not loged or close login page in firts tab.?
i have an angularjs app, i am using cookie based authentication in this app. when i login with two different users in same browser window in different tabs my cookie gets override. For example i am logged in with a user 'A' in first tab of browser and i am logged in with a user 'B' in second tab of the same browser window. when i check the cookie in browser, i only see the information about last logged in user. and when i try to navigate through application with user 'A' i get wrong data.
my question is is there any way i can skip login screen if a user is already logged in my application? so that no other user can login within same browser?
i tried to use resolve:in AngularApp.config and tried to redirect already logged in user to /home but still i am unable to achieve it. any thoughts?
Once the login is completed you can save the status of the application in session storage. Then when you are initialising the application you can check the value exits in session storage or not and redirect user to different page depend on the value. Make sure you are removing the stored value in session storage when user logout from the application
I'm having a weird problem with my angular app. When the user is logged in and hits "refresh" in the browser, the app loads the log-in template which is part of the main index.html file. It does not, however, kill the user session, but the user can't get any where else in the app without re-authenticating. Can anyone offer advice?
When a user refreshes the browser, your entire angular application disappears and gets restarted. That's how SPAs ("Single Page Apps") work.
If you want to have the user not log in every time they do this, you have to save enough information in the browser itself to know that he or she has already logged in. You can do this by storing some information either in a cookie or HTML5 local storage, and checking to see if the login information is stored before you call your authentication service.
Also, if you use standard http BASIC authentication the browser itself will cache the authentication credentials.
I am running a Google App Engine project where everytime the user takes an action I want to check to see if the user is 1)logged in 2)an admin. This is the code I have for the appuser:
class AppUser
{
private UserService userService;
private User user;
public AppUser()
{
userService = UserServiceFactory.getUserService();
user = userService.getCurrentUser();
}
public IsAdministrator()
{
if(IsLoggedIn())
{
return userService.IsUserAdmin();
}
return false;
}
public IsLoggedIn()
{
return user == null;
}
}
When I log out with my app this works fine. However, if I log out on another page (like on google calendars or something) the app still thinks I'm logged in. Is there another better way to check if the user is still logged in?
Also I know that this can be done with security-constraint in the web.xml however that will not work in this case as I need to take certain actions if the user has logged off.
I am using App Engine SDK 1.7 and GWT SDK 2.4
Two ways to notify app about user logging out:
Synchronously - server actively notifies client (browser) about log-out. Use Channels API to send push notification to client. There is a GWT wrapper.
Asynchronously - server notifies client about log-out when client makes communication to server, i.e. in every RPC call add authentication check. If user id logged-out, raise an exception, which can be handled by GWT.
I ran into this today, though it was worse: I'd logged out as user A (from a Google Sites page), and logged in as user B, but my GAE app still thought I was logged in as user A. Argh.
The reason for this is that there are two cookies involved, one for tracking which Google user is logged into Google, and another for tracking which GAE application user is logged into my GAE application. Recall that a GAE could be using any federated authentication service, not just Google's. My application has no access to the google.com cookies, so I can't directly check whether user A is still logged in (or which user is currently logged in).
Unfortunately, I've not yet found a straight forward "federated logOUT" mechanism, though it is possible that Google Identity Toolkit can be used for detecting that the expected user is no longer logged in.
I found others discussing this issue:
How to manage multiple accounts login and logout in different browser pages?
UserService retrieves wrong user after logout
Update
I came up with a solution that works for my application, where I have a page that redirects the user, a student, to his or her classroom's home page. Since this is accessed infrequently by any one student (a few times a day), but which needs to know which student is logged in, I took the following approach which works for me:
User goes to page A, which clears the ACSID and SACSID cookies, and redirects to Google for the user to login.
User is probably already logged in, so Google (with several redirects) updates the ACSID and SACSID cookies to the currently logged in user, and redirects back to my application at page B.
Page B finally takes action on behalf of the logged in user, "confident" that the correct user is logged in (to the extent that pages are confident). ;-)
Here's a code sketch of the approach:
# My BaseHandler has a clear_cookie
class LoginAndRedirectHandler(base_handler.BaseHandler):
def get(self):
self.clear_cookie('ACSID')
self.clear_cookie('SACSID')
self.clear_cookie('dev_appserver_login')
if 'continue' in self.request.params and \
self.request.params['continue'].startswith('/'):
url = self.request.params['continue']
else:
# Whatever your page is that needs an up to date logged in user
url = users.create_login_url('/PageB')
if isinstance(url, unicode):
url = url.encode('utf8')
logging.info('Redirecting to ' + url)
self.redirect(url)
return
The reason I said infrequently above is that this process is expensive in time, with at least 4 or 5 redirects involved.