I authorized the group of a user to the cockpit-application. I gave the group full access to the Process Definition and Process Instance authorizations. (so pretty much as described in the documentation)
When I try to log the user in, I see the Welcome screen and in the application overview the option to navigate to the cockpit-application.
However, when I click this, I get the Login screen again.
For a fraction of a second I see the cockpit application, but then it immidiatly redirects to the login page. When I try to log in again, it keeps redirecting me to this login screen.
I configured another group to use the Tasklist application and that is working as expected.
I tried to give the authorization on user-level instead of group-level but the same problems occurs.
(n.b.: I am using the Spring-Camunda-Starter for this application.)
I found the problem, I accidentally removed one of the authorizations the system automatically creates when the user is created. I think I might have removed this, as I thought it was not necessary.
It is in the User Authorizations, every user has an authorization from it's own user to that user. When I added this, it fixed the problem.
I found the solution when another user logged in and had no problems. And the found this to be the only difference between the two accounts.
Hopefully this will help someone in the future!
I have a request from my customer: 'Prevent multi user with same account id login at the same time'. I have implemented like this: create userflag in account table. When user login, flag is active (1). The other can't login when flag was 1. When user log out, the flag is deactive(0).
But I have trouble when user doesn't logout. If he directly close browser, the flag still active. Could you give me some advised to fix this problem ?
Besides, in asp.net core, I can't find something like SessionEnd event, because I want whenever sessionend, I'll return flag of user in DB, but I can't find it. Please give me some advised. Thanks
In my Laravel application, after a user is logged for the first time after registration using
loginUsingId()
the user gets authenticated (logged in). But after a few hours (maybe 2-3 hours. I'm not sure), after the session has expired or the user has logged out, it can't log in back again using:
Auth::attempt()
But it happens for a reason that I don't know. Why is this happening? Please share your expertise on this.
Most probably, you are not storing the registration data perfectly in the DB.
Is the password hashed perfectly?)
Or cipher proble. Help here.
Or rememberToken methods are not set up perfectly. Help Here.
Well, you type username and password in form, hit "OK" button. Then data going to server side and check users database if that user is existed. Then it return user id. And what next?
That data is saved in cookies?
Does it mean, that with every clicked link, site login you to website again?
I mean,
you click some link on site
browser redirect you to that page
site checks your cookies
site grab username and password from cookies
site checks is that data is valid (via connecting to database)
show page to you
Is that correct?
User enters credential.
System validates credential.
Upon successful authentication, server saves user object into session.
System grabs user info from session.
System displays webpage.
Tadaa!! :)
UPDATE
To add a little more...
User visits the secured webpage.
System checks if session contains a user object.
If user object exists in session, allow user through to visit the page.
If user object doesn't exists, redirect user to login page.
You don't need to store user password in the session. In fact, it is highly discouraged. Checking to make sure the user object exists in the session is sufficient.
When the user clicks the logout page, then proceed to invalidate the session... that's it. :)
Almost correct. You rarely go to the database with every request. You usually set a cookie with a expiry date and save the user session and info in memory. So every time a request is made, if the user is not authenticated, you authenticate him, generate and send him a cookie with, say, 5h expiry. So, in the next 5 hours, whenever a request comes in with that cookie, you trust that the user is an authenticated, valid user and you don't have to check the database.
It's not how every site does it nor it is the only way to manage session and cookies but I think it is the most widely used.
You should probably use sessions, but that's pretty much the gist of it. That way the data doesn't accidentally persist.
I mean, for my simple site at home, that's how I do it. But it's still locally hosted, so the security is guaranteed to be crap.
Oh, and no need to check with the database whenever you click on another link -- too much time wasted.
Typically, an application takes advantage of the session that is established between the browser and the web server, and makes a note that that session is "authenticated". "session" is a built in feature of HTTP. If the browser is closed, or after a certain period of time passes, the session is automatically closed. If the user does an explicit logout, the application marks the session as not-authenticated.
.. Or is it enough to just check for a session variable that indicates a successful login has in fact been performed?
What are different ways to go about this? The ideal and not so ideal?
Thanks!
Third alternative: HMAC-ed cookie. No need to hit database/session-store at all.
Details.
Even if a user has an active session that is restores via cookie for example, you need to verify his account data.
If you don't check the current database entries for a user, he could possibly login although his profile has been banned or something like that.
The reverse situation can happen if your user opens a session in one browser (at home for example), upgrades his account to some "premium" (or whatever) account with another session (maybe from his office). When he returns home, he would get his old session that has no "premium" privileges.
So, always check the data for your user profiles. I would recommend to check them on EVERY request to your website. Your session data should only say WHO the user is and not WHAT he is allowed to do.