I have a backend with Drupal.
Using Drupal Services to interact with. Which provides a rest server.
Created endpoint named 'api'.
Following sequence works in normal browser or any http client like postman :-
example.com/api/login (works).
api sends back user data (token,session id, session name etc).
Further any request I make, I send token as X-CSRF-Token (all requests work).
I can even logout the same session with the token received before.
IN IONIC APP :-
I can login and I also store user data (token, session data etc.) in local storage after login.
Here's the difference in app :-
When I send the same token back to server while making a request (say logout).
Server's response is "User is not Logged In."
Why does this happen?
Update :-
After logging in I tried getting the current token from the server, and it was different from the one I saved after successfully logging in.
Every time a different token is received.
I faced the same issue. Problem was i never set the cookie and chrome did this for me automatically.
Luckily i found this great site:
drupalionic.org
There are links to a view demos as well as good descriptions and code.
So what you have to do is:
- log in
- retrieve session data and set cookie
- perform subsequent requests with the cookie data and X-CSRF-Token in your header
Here is a flowchart:
Was this helpful for you?
Related
In my jmeter web recording, I have an api/authenticate part which generates the token which has to be used
in subsequent requests. I did the part of correlation too. But the problem I face now is, the api/authenticate throws a session still persists error after sometime. In my script I have log out option too. In api/authenticate I am providing username and password in the headers. Since the session exists error is there, I can't get the token in the response body. Is it something that developers can fix for us? can you please help me with this? Or is there any request which is missing above this authentication part which jmeter didn't capture? I have authentication header manager added to my test plan to clear
authorization every iteration. Also cookie manager and cache manager. Nothing clears the session.
For well-behaved application "log out" request should clean the session, if it doesn't - you need to report it to your application developers.
Also check the token response, it might be the case it has some time to live and if this is the case the token persistence could be a part of your application functionality so if there is a username/password combination associated with the token you should be using it until it expires before getting the new one. So you can write the token and its expiration date into a CSV file using Flexible File Writer and use If Controller to check whether the token is still active or not
I have a case with an Order System (ASP.NET Core 2.2 with Identity Server 4 auth)
where I post form-data to an external Api from a Controller for Payment purposes.
The remote Api is configured with a return-url (after Payment is processed)
Problem is when the user is returned to my system they are no longer authenticated so they are automatically redirected to the identity-server and automatically re-autheticated (as the Cookie is still valid) but in this process the returned data from the api is lost. I can see the data (and the complete request) in my logs, but the Controller-method for the return-url is never accessed (as before that point the middleware has detected the user is not authenticated, or this is my assumption.)
If I cannot capture the returned data I cannot save the results from the Payment attempt.
(For testing purposes I have set [AllowAnonymous] attribute on the return-url controller method, but this did not work. It still redirected to the identity-server.)
How does one solve this as I cannot handle this in the controller method as this is never accessed ?
(The remote Api does allow for custom parameters to be passed and then returned as query-strings to the return-url.)
Thanks
//Jonas
[Edit] : The response is posting some user-data like address etc to the web-service (it is not a rest API, sorry for mixing words). The user then gets a HTML response from the remote webservice with a form to post the creditcard info. At this point they are no longer on our site, after post they are redirected to the return-url on our site. This is where they are no longer authenticated, but I assume they still have the cookie, as they are automatcally logged in without needing to input username and passw again. (so I guess in a sense they are still authenticated, but the system is not able to get the user info. User info is filled again after re-route to the identity server and back.)
I have deployed an Express app on Heroku, set my web hook on the address and use my DG agent to make post request to the endpoint on Heroku.
The webhook passes over parameters's body to another web service and that's fine. I need to keep track of the cookie the web service passes back in order to send it back to keep the context of the conversation.
At the moment I am saving a file on the server with the Express's session id (req.session.id) and the cookie value. Everything works if I make POST call via Postman or via form, so let's say the web application is tracking sessions properly.
On the contrary, if I test my webhook with the DialogFlow agent, I receive a new session id per each request to my endpoint on Heroku.
I don't understand why... What am i missing?
I do not believe you can rely on the request from DialogFlow maintaining a cookie for you.
We are using DialogFlow, Google Actions, and Node.js. We retain session information by including data in the response we send back, which we then read when the next request comes in. When writing a response we put our session data (JSON) on the assistant.data attribute. When receiving a request we get session data from the incoming event.body.
We had considered trying to live off a unique ID of the incoming request, such as a user ID or device ID, but did not pursue it.
I am using identityserver4 for all configured clients with "AccesssTokenType=1" i.e. reference type.
I have one web app hosted for server, and other one for clients.
I used default identityserver settings, which generated two cookie, one for session Id "idsrv.session", and other one for authentication "idsrv".
In logout I do signout
await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme);
await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme);
however it gives error when I call with "idsrv.session"
await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCheckSessionCookieName);
Issue / Steps to reproduce the problem
1st Iteration : Login on my client website which redirects to my identityserver application. I now interceprt the request and response using "Burp Suite". I copy the complete response which has redirect URL's and cookie details.
I signout/logout from client website.
2nd Iteration : I tried login again, and intercepted the request and response using Burp Suite, by passing wrong credential. While Intercepting the response I just copied the cookies from previous request (which was successful in my first iteration), and observe that identityserver has successfully validated the user using the cookie value, ignoring the wrong credentials in this iteration.
Even I tried invalidating and deleting cookies in my signout/logout method, but looks like identityserver still recognises it as the valid ones.
Brock Allen directed me to the corrrect solution. According to him :
This is the real issue you're asking about -- when you signout, you want the cookie to no longer be valid, even in the scenario when it's stolen and replayed. This is not something IdentityServer can address, because we use Microsoft's cookie authentication to achieve signin. You would have to fix this by changing the default usage of their component. You can do it by implementing "server-side cookie" (a term that I dislike) by implementing an ITicketStore: https://github.com/aspnet/Security/blob/master/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationOptions.cs#L136
Details Here
https://github.com/IdentityServer/IdentityServer4/issues/2565
I'm using JMeter to load test my web app. I created two HTTP Requests, one visit login page and the other, log into my account. The visit login page HTTP request works fine and returns 302 Found status. JMeter displays the login page and there 0% errors on that page.
However, when I try to login into my account using the POST Data I retrieved from Firebug POST, it doesn't work and returns a 500 status error.
I am having difficulty getting the logging into my account feature to work. I have tried to send a POST request with the following:
1) __RequestVerificationToken
2) languageDropDown (My web app requires it)
3) UserName
4) Password
but I am still getting the error.
I followed this tutorial as it's the only one on ASP.NET MVC web apps...
http://build-failed.blogspot.pt/2012/07/load-testing-aspnet-mvc-part-3-jmeter.html
But I didn't do the feedback form data because I don't need it. Just grab the general concepts and regular expression from that webpage and tried it on my app but it fails.
Why? How do I fix it?
Is it because I have cookies to store session and only unique users can login my web app at one time? I did add a cookie manager though.
BTW, this is on a deployed web application (not localhost).
Some photos, I blocked out all sensitive information (sorry) and some of the token's (Just in case?)
Are you sure you have static authentication token? May it dynamic?
Look at second video that deals with token at 5:37 min to understand how to extract dynamic authentication token.
Exept HTTP Cookie manager, try to add HTTP Cache manager