SoftHSMv2 - How to make created objects survive between sessions? - softhsm

I open a session
I create an AES key with a label by using C_CreateObject
I can lookup the created object by label by using C_FindObjects.
I close the session.
I open a new session.
I can no longer lookup the created object by label using C_FindObjects.
What am I doing wrong?
Thanks!

Two possibilities come to my mind:
Per PKCS#11 2.40,
Only session objects can be created during a read-only session
Therefore the session of C_CreateObject needs to have been opened with the flags argument set to CKF_SERIAL_SESSION | CKF_RW_SESSION .
The pTemplate argment to C_CreateObject needs to include the CKA_TOKEN attribute so that the newly created key would be a "token object" rather than a "session object".
In PKCS#11, a token object is persistent across sessions whereas a session object is ephemeral and would get dropped once the session is closed.
Hope this helps.

Related

ASP.NET Core clear session issue

I have an application where I save some information on the session that later I assign to the model when I save it to the DB.
For example I have the following model saved by User1:
...
MyModel model = new MyModel();
model.name = mypostedModel.name;
model.type = HttpContext.Session.GetString("UniqueTypeForThisUser");
...
After I save the model in my DB, at the end of the post method, I clear the session with this line:
HttpContext.Session.Clear();
Let's say at the same time there's a User2 creating a new model and I have saved another value in the session with a unique key for User2. Same way as before, at the end of the post method I clear the session with the Clear() method.
Does this clear session method clear the session for all users, or only for one user. If for example User1 saves the model first and clears the session for all users, then the User2 will get his session variable cleared (lost) and will assign a null value to my 'type' column for the model.
For the documentation this was not clear for me. Thanks
You Can remove specific keys
HttpContext.Session.Remove("YourSessionKey");
The session object that you can access for example through HttpContext.Session is specific to a single user. Everything you do there will only affect the user that belongs to this session and there is no mix between sessions of other users.
That also means that you do not need to choose session configuration key names that are somewhat specific to a user. So instead of using GetString("UniqueTypeForThisUser"), you can just refer to the values using a general constant name:
var value1 = HttpContext.Session.GetString("Value1");
var value2 = HttpContext.Session.GetString("Value2");
Each user session will then have these values independently. As a result, calling Session.Clear() will also only clear the session storage for that session that is specific to its user.
If you actually do need different means for storing state, be sure to check out the docs on application state. For example, things that should be stored independently of the user can be stored using an in-memory cache.
Does this clear session method clear the session for all users, or only for one user.
The HttpContext is the one for the current request. Since every user has a different request, it follows that clearing the session on the current request only clears it for that request's user, not all users.

Passing a token to a Keyword - Robot Framework

How do I pass a token to another Keyword?
I've created a session and get the token using the following:
${token} set variable ${response.json()["authenticationToken"]}
${head} create dictionary Authorization=Bearer ${token} Content-Type=application/json
In another Keyword I want to create a new session using the above ${head}.
How do I pass this correctly?
Create session list https://whatever.com/ verify=True headers={head}
Because head is a local variable the new session has no clue what this ${head} is in the above code.
You can have the keyword that gets the token and creates the ${head} dictionary return it; then you'll have the value in the calling test case / glue keyword, and pass it to the one that's creating the session.
Another possibility is for the keyword getting the token to set the scope of the ${head} variable to test (Set Test Variable) or suite (Set Suite Variable) level - thus it will be defined for all keywords called after that scope setting.

Is there have any API to reset the adapter successStateExpirationSec?

I defined a security check adapter and configured the property which is shown below.
<securityCheckDefinition name="MySecurityTest" class="com.sample.MyTest">
<property name="successStateExpirationSec" defaultValue="30" description="How long is a successful state valid for (seconds)"/>
</securityCheckDefinition>
The configuration means that when I pass the security check, I can access the protected resource under the scope for 30 seconds.
After 30 seconds, the server will force client to logout.
However, no user want their app repeatedly doing validation with high frequency.
We know we can increase the value of successStateExpirationSec, unfortunately, it cannot meet our requirement.
How can I extend the property "successStateExpirationSec" before the time
expired and without revalidation ?
It is not recommended to update the "SuccessStateExpirationSecond" after setting it and before it expires. I think Logical approach for your usecase is to determine the proper value "SuccessExpirationSecond" and set the properties to that value.
Instead of updating in the SecurityCheckDefinition in adapter.xml, you can also set it programatically by Extending "CredentialValidationSecurityCheck" .
Refer sample here .This allows you to set the default properties value.

DropboxUnlinkedException but the session already had token inside and user didn't revoke the access

My problem is I have existing user in database which store the key and secret from the first authentication. I wish to reuse it again when I come back. For the first time authentication, everything working fine. I can use every method call from Dropbox API and the Token(key and secret) was stored in database.
I come back to app and get the Token from database, set it to the session, link current session with API.
session = new WebAuthSession(appKeys, ACCESS_TYPE);
api = new DropboxAPI<WebAuthSession>(session);
String userKey = dropboxUserObj.getUserKey(); //Key from database
String userSecret = dropboxUserObj.getUserSecret();//Secret from database
AccessTokenPair userAccessTokenPair = new AccessTokenPair(userKey, userSecret);
session.setAccessTokenPair(userAccessTokenPair);
It return DropboxUnlinkedException to me when I want to get user data from api using
String userDisplayName = api.accountInfo().displayname;
I have checked on debug mode. Api was linked with the current session. The current session stored Appkey and user's token and correct access type. The point that I doubt is I saw "client = null". I maybe forgot something but I check them all, try every possibilities I can think of but it still return me "DropboxUnlinkedException" which mean I haven't set an access token pair on the session and I didn't revoke access for sure.
Please help me figure out...
I added a screenshot maybe it can illustrate my problem

multiple user logins in jmeter

I am using jmeter to test a php application. I need to create a different thread with a unique session for each user. Because in my application you can only have one login per user at a time so putting 100 times the same user I will not get to any conclusion.
I have created 40 users user0,user1....user39 with the same password is there a way to automatically create simultaneous threads for each of them?
Thanks
I just implemented this using jmeter for an app that uses Spring Security (It would be very similar to PHP). This is fairly straightforward, basically:
1) Create a new CSV file using a text editor
Ex: CSVSample_user.csv
username1, password1
username2, password2
2) In jmeter, create a CSV Data Set Config element
Thread Group>add>Config Element>CSV Data Set Config
=> Assign variable names (see image)
3) Create an HTTP Request element
Thread Group>add>Sampler>HTTP Request
=> Create a POST with parameters, have the variable you created
put the values for the parameter. (See bottom image).
NOTE: There are other elements you need, such as cookie manager, etc. Also number of threads needs to be set to the number of login users.
You can use a CSV Data Set Config. This control will allow you to use an external source of variables.
Add -> Config Element -> CSV Data Set Config
You must set the variable names, something like:
Variable Names (comma-delimited): USERNAME,PASSWORD
Then you can use the variables in your HTTP Requests parameters like:
${USERNAME} and ${PASSWORD}
I realize this question is over a year old, but I just came across the same issue and thought I'd add my solution for anyone else who stumbles upon this issue.
If you have a sequence of usernames and passwords that are simply differentiated by numbers at the end of their values, you can use the __threadNum variable to log them in. So for the value of username you might say user${__threadNum}.
This solution is simpler than including a csv but only works where you have a list such as the one you suggested in your question.
keep csv file and testplan (i.e jmx) in a same folder and recheck the variable name in CSV datasetconfig and http request for any typing error.