The default behavior of a DNN installation is to prevent users from saving their account credentials in their browser.
I believe this is done by changing the ID of the credential input controls on the login page(s), but I am not sure.
Is there a setting or common method for fixing this so that users can save their credentials?
Edit: I'm not talking about the separate issue of whether a user's session is "remembered" by clicking "remember me". I'm just referring to enabling web browsers' login/pw storage. It can't be too horrible to enable if Amazon allows it.
It's actually done by setting an autocomplete=off attribute on the textbox. I don't believe that this is exposed through a setting (i.e. the only way to change it is to change the control that your authentication provider uses, which is a fairly big undertaking).
EDIT: After reading further on this, it seems this solution is less secure than the one provided here.
If you are talking about the issue where remember me doesn't work, you just need to make a simple change to your web.config file. Just increase the value of the timeout setting in the authentication -> forms section it's also a good idea to add slidingExpiration="true"
<authentication mode="Forms">
<forms name=".DOTNETNUKE" protection="All" timeout="10080" cookieless="UseCookies" slidingExpiration="true" />
</authentication>
Related
I'm trying to use react-facebook-login to authenticate users, but I need to access the user's email. This should be doable via the scope parameter, but it doesn't work. There are multiple issues about this subject on Github going back years that haven't been addressed.
My question is - is there a way to modify/override this package to accommodate this (it appears the scope parameter is simply not added to the popup url), since it looks good otherwise? I have no idea how to patch or override node modules.
Alternatively, what is the absolute easiest way to implement this - is getting dirty with the Javascript SDK the only way, or are there better packages?
<FacebookLogin
appId="myappid"
autoLoad={true}
onClick={componentClicked}
callback={responseFacebook}
scope="public_profile,name,email"
/>
The Package has no issue your app does, you need permission to access such information, while in development you can get the the information's just fine but be aware in a recent change in facebook graph api now in order to access user email you must ask for email Advanced Access you can do that by going to your app dashboard
https://developers.facebook.com/apps/appId
in the left panel click App Review and select Permission And Futures there search for email and click Get Advanced Access Clear your browser cache and you good to go
I'm using this package instead which works as intended:
https://github.com/seeden/react-facebook
Use case: A native(.NET desktop) app that connects to Azure SQL Database using Azure Active Directory authentication.
Since .NET 4.7.2 there is new SqlAuthenticationMethod.ActiveDirectoryInteractive setting for opening a connection to DB. This setting results in a pop-up dialog for sign in, which works well.
E.g. Some documentation example here
Problem: Each time the desktop app is restarted - the sign-in popup appears again, asking for password again, which is frustrating for people who prefer "remember me on this PC" kind of behavior.
Is there a way to enable "remember me" in this scenario ? I didn't find anything in the documentation / web / SO ...
P.S. I assume I can implement it myself if I work with JWT tokens and not with ActiveDirectoryInteractive, but before I do that asking here.
I came across a Token Cache option from here.
Which eventually helps with the problem of sign-in popup upon each restart, due to caching the token.
Get the FilesBasedAdalV3TokenCache class and then provide it when initializing AuthenticationContext:
...
AuthenticationContext authContext = new AuthenticationContext(parameters.Authority, new FilesBasedAdalV3TokenCache(".\\Token.dat"));
...
In attached image button is disabled by default based on access, however if i delete the property highlighted it gets enabled & user can able to perform actions.
Please do provide solution to restrict it.
Please see image attached related to issue with chrome Developer tool
You can't stop the user from doing that. Its their browser, and it's entirely in their control. Any user can manipulate the page in any way they choose, and run any script they choose from the console, etc etc. If the have the knowledge and inclination, they can do as they please. If they want to change the page to try and make a malicious or incorrect submission of they data, they can.
The mitigation you can (and must) put in place is to check and sanitise all data coming into your server-side API to guard against what is coming from the client being malicious or otherwise inappropriate.
Bear in mind your API just accepts HTTP requests, there's nothing to say a client even needs to use your web app to make requests, they could use a tool like PostMan or any other HTTP client to attack it. They can bypass the browser completely. So you have to apply all permissions, data checking etc on the server first to ensure security. If you then apply it on the browser-based web app, that's nice but you have to regard it as just a usability feature - it can never provide any real security.
well, as all html code in the browser you cannot prevent it from being manipulated, never trust the client and check the access of this action in the backend.
Keep in mind that even if the button is disabled, a developer can rebuild the request of this form and send it without using any user interface.
There is an alternative way that you can do in this kind of situation. You must unbind the event when the button is disabled and bind it again when the button is enabled. It will solve your problem.
Much better sanitize it in server side.
I am creating an Angular 1 SPA. Certain controls are only visible to users with certain permissions. This is based on scope variables set by server api calls.
It occurred to me that if I could access these variables through a browsers dev console, I could change their values.
I tried this for example:
angular.element($0).scope().$parent.myUserInfo.accessType = "admin"
angular.element($0).scope().$apply()
And sure enough, the admin controls popped up on the page even though I was not logged in as an admin. Is there a best practice to stop this or am I going about it completely wrong?
The authentication always have to be made on the server side.
I don't know what you are trying to do, but if the user interacts with some webService/Rest API, etc... the server should disallow such interactions.
If the accessType property of your scope is just a way for you to know which UI you should display to the user, and the authentication/session mechanism is correctly handled by the server, that should not be a problem.
However, you cannot disallow the user to play with the dev console, so you'd better handle the authentication correctly.
I am not sure if there is a way of protecting values in $scope.
But as JavaScript is executed client-side and it is therefore be possible for users to modify said code, I would always verify permissions server-side. Then it wouldn't matter if users enable the admin controls client-side as they have no permission to use the api calls.
I have created a web page with RoR and i am using auth system that i wrote. Now i would like to create an admin panel, where i can see the user info etc..
I am not sure but what i though is to add a column name to auth system like admin? giving a default name false. Then if the admin? is true admin panel opens instead of the web page login.
I wonder if i can use the same auth system so in order to login to page it logs in to admin panel.
But in the controller it will check if admin? is true for every user, i am not sure about the burden in terms of the system requirments as it will check every user.
And i know there are other gems for admin panel but its fine i can design it. I am just not sure which way is the efficient way.
The burden on the system will be negligible. It depends a little bit upon how your auth system is configured, but I am assuming that you give the user a token when he/she is properly logged in.
When the user first tries to sign in, you should check if they are an admin. At this point, if they are, then you can sign them in as an admin, also storing that information in the session. You should perform this check on the controller actions where they need to be an admin. It will not affect performance to any noticeable degree and is important for the security of your site.
Also, you may want to check out the CanCanCan gem, which is a fork of CanCan built by Ryan Bates, for an example of how this works. Unless you're building the application for educational purposes, I highly recommend the CanCanCan gem.
Hope this helps!
In addition to that, you may try Rails_Admin, which provides an easy-to-use interface for managing your data.
And I've considered to use this gem for my project, which is a huge database, so it seems to very helpful.