I am using a python connector to use snowflake from backend , I need a query or something to check whether my account is valid or it got expired basically for trial account, In Snowflake UI it is showing the error but when using the python connector I need to get a similar error like at the time of login itself
"you trail has expired" is not really a thing that people "normally" need to programmatically know about.
Unless you are repeatedly "programmatically" making more accounts, which seems against the purpose of the free accounts.
I would think that you python would start failing to log in, which it should back off and try again after an escalating timer (1s, 10s, 60s,..) but at the same time tell you there is a failure (of some sort) and at the time the account expires. You stop running your automation/python code.
Related
When using Cognito's forgotPassword function, I get a 'LimitExceededException' error if I try to run the forgot password method more than 5 times.
Is there further documentation on this at this point?
This question brought up a similar point several years ago, but there was not guidance on any documentation. And this question brought up a similar issue, with comments noting in frustration there is no guidance on how long to wait.
I am hoping there is guidance available on:
How long does a user need to wait before trying it again? It's not helpful to my users to say "Please try again later", without any guidance on when. In my testing, I waited more than 30 minutes after, and the error still appears. This seems excessive for users.
Can I add this protection to the signin process? (not just the reset password process). This security protection does not appear to occur in the case of signing in. There, I can enter an incorrect password multiple times without a "too many attempts" type warning. I'd assume that is an important security step.
According to https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html,
We allow five failed sign-in attempts. After that we start temporary lockouts with exponentially increasing times starting at 1 second and doubling after each failed attempt up to about 15 minutes. Attempts during a temporary lockout period are ignored. After the temporary lockout period, if the next attempt fails, a new temporary lockout starts with twice the duration as the last. Waiting about 15 minutes without any attempts will also reset the temporary lockout. Please note that this behavior is subject to change.
the last couple of days I implemented the autodiscovery/auth flow for UCWA against Skype for Business Online and AzureAD. When I'm done and having the URL to the application directory (+ the OAuth2 Credentials) I save those into our internal system. So later on I want to create online meetings with this data. The URL to the applications directory looks like this: https:\/\/webpoolam42e10.infra.lync.com\/ucwa\/oauth\/v1\/applications\/101331226048\/onlineMeetings\/myOnlineMeetings
If I do this within the first minutes of retrieving the data it works just fine. But later on it seems, that the application directory is gone. I'm getting this response:
body":"{\"code\":\"NotFound\",\"
subcode\":\"ApplicationNotFound\",\"message\":\"An error occurred. Please retry. If the problem persists, contact your support team.\"}
Status Code is 404.
Later on I even tend to get 401 errors that mean unauthorized.
I suspect the application server going away and only being temporarily available. I got a refresh token and a valid access token, so this wont be a problem. I've got no clue what is going on there and wasnt able to find help in the docs. So maybe one of you got any advice - I'd be really thankful!
Side-Info:
I'm doing all this in PHP and I only have user-interaction at the initial authentication. I save the refresh token and all other things I need, so that my server-side application can use the authorization in long term.
Reporting here part of my reply to another question:
Keeping a UCWA App always online:
If you need to achieve that, you need to understand and implement correctly the concepts explained here me Dashboard, especially at Reporting activity section:
call reportMyActivity every 4 minutes max.
maintain an active P-GET with the Events Channel
handle possible timeouts on the Events Channel
handle possible DELETE events (on the Events Channel) the server can send for the application, for which you'll have to regenerate your app Application dashboard
reporting app's activity, and keeping a valid open P-GET with Events Channel are both very important!
Situation:
I'm creating inner API for my website (Node.js + Express). But I completely don't know how to secure it.
I have payments in my application, and I need to know when user makes it. I use XHR requests for transferring data between server and frontend.
Questions:
Is it secure to transfer user's time to a server (can I trust this information?). If no, how can I get it securely? I thought about transferring user's location, and then with help of mement.js get his time, but it's also not secure if a hacker can replace it with his data.
Can hacker make XHR request from developer's console to my server? If yes, how can I get his real time?
I'll be happy if you answer at least some of my questions.
First of all, I would suggest not writing the code yourself if you are not confident enough about it. Storing payment details is a big responsibility, and can get you in legal trouble if anything gets compromised. I would suggest using services like Paypal to handle the payment.
That said, I am going to answer your question:
You cannot trust ANY information you receive from the user. The time and location can be spoofed/altered very easily.
Yes, it is possible to make (modify) a request from the console (maybe some add-ons and technical knowledge will be required, but it is doable). It is not possible to know the real time of the user. It is only possible to know the session timeout of the server, and estimate the time of the user, relative to the time of the server, based on that. It is also possible to know the IP of the user and estimate the time-zone, but using a VPN or Tor, it is trivial for a user to alter it.
EDIT: Using Paypal would increase the security, compared to writing it yourself. Here is the API reference: https://developer.paypal.com/
EDIT 2: Here is a brief explanation of why you should never trust user input: https://www.enisa.europa.eu/publications/info-notes/the-dangers-of-trusting-user-input
In our system one client may have multiple operators. However there is a "wish" from client.
One company has an account, however there can be mulitple operators assigned to this company. Client wants us to prepare a solution that only one operator from company can log in to the system at same time. How can I achieve this?
Just by making sure they system has the ability to validate the login on each request. Either
Actively (by querying state -- possibly a database to compare some secrets) or
Passively -- using some form of cryptography and tokens (possibly in the cookie).
Option one is easiest, option 2 is fastest. If you validate on each request you can make sure that only one user remains logged in -- if another user signs in you can invalidate the existing active login -- perhaps with a cooldown period of n amount minutes.
You have to develop some form of login scheme -- kerberos is the defacto scheme -- read this easy to follow tutorial on kerberos Designing an Authentication System: a Dialogue in Four Scenes It should show you what you really need to do.
You could use a database field to flag that they are logged in. Update the field to 'logged in' when they do so, and then update it to 'logged out' when they log out.
You'd also need to monitor login sessions for expiry to update the field if a user never bothered to explicitly logout.
The best approach I've used:
Create a table used to track whether an operator is logged in (e.g. userid and last_accessed_dt)
On each page request by the operator update the last requested date/time
When an operator attempts to login they can only do so if the last requested data/time > timeout period of sessions on your website (E.g. 30 minutes) or if they are the Last Operator User ID ... this way they can quickly recover from a logoff etc.
When an operator logs off have the Last Accessed cleared
When the session times out have the Last Accessed cleared
"I am using WPF application and the server is written in WCF, however this can be achieved. But what in situation when user has an application opened and was inactive for 30min?"
This system is going to be single-user, so I suggest you start a counter thread when a user logs in. When counter reaches 30 minutes, write a value to the db indicating that user has timed out and other users are free to login. Obviously, you should do the same thing when user explicitly logs out.
I'm wondering when login timeouts are being used, specifically when using same session (same browser session). On a number of sites I have completed recently I have added 60 minute timeouts and they seem to be causing problems, such as users are not able to fill out larger forms (like a resume submission--people don't think of copying their resume from another program or saving part way through). On one site, I have implemented a div/popup forcing the user to enter their password to continue in the current session, without having to login again.
But on other sites, such as Facebook, it seems you are never logged out as long as you are using the same browser window, even without "remembering" your password.
The main reason I usually use timeouts is to ensure the data is secure, such that another party can't sit down at the computer a few hours later and use the system as the original user.
I'm wondering how you decide when a site should time out users because of inactivity?
I'm thinking the answer would be language agnostic.
IMO, they're valid when:
security is critical (ie. banking)
the likelihood of seat-swapping is
high (ie. public terminals)
Regardless, there may be instances like your resume system, where you want people on public terminals to be able to carry out an act that may leave them inactive for longer than your desired or necessary timeout.
I suppose you just have to handle that in a smart fashion - either figure out a way they can get the data in quicker (which would be ace, spending an hour filling out a form is not fun - can they just upload a file?), or ensuring they can continue without any data loss after being prompted to log in again.
Even though 60 minutes seems like a long time to fill out a single form (perhaps the forms should be divided into multiple pages?), you can probably use SlidingExpiration to solve the problem where your users get logged out even though the browser session is alive.
I think the timeout for an auth cookie is a Security level decision. If your site is SSL secured, you would probably have minimal timeout values (user session would expire within a matter of minutes). On the other hand, for sites with non-critical security, you could set a medium timeout value.
When I sign on to online banking, for example, it asks me whether or not I am using a "public terminal": and if I say yes then it enforces stricter security, or if no then laxer.