I have an MVC Web Api application running in vs2012, As the user requirment application should redirect to locked screen when application is idle for 30 second.Can anyone please guide me to solve this issue.
Web API cannot provoke redirects.
What you need to do is something on the client side (JavaScript) that detects the lack of activity during 30 seconds and then locks the screen, for example placing a CSS overlay. If you really want to redirect to a locked page, for example the login page, you need to change the browser url, like this: window.location.href = newUrl;. You should also terminate the user session at this point. If not, someone can write another URL of your application, and will be redirected to it with the authentication in the current session.
What you can do to enter the locked state is to use JavaScript's setTimeout. Set a timeout of 30 seconds with a callback to the locking script. And do something to reset the time out if you detect activity on the page, which usually involves subscribing to events.
The most difficult to implement is the dectection of activity in the page. You can see some ideas on this SO Q&A: Detecting idle time in JavaScript elegantly. See the highly voted answers, which include very interesting ideas.
The easest way in my opinoin to write this <meta http-equiv="refresh" content="30;URL='home.html'" /> in the header of your page
and set session time out in web.xml or web config to be equal 30
Related
I have a PWA site which is working fine on Firefox, Chrome and Edge on Windows, and all of those on Android, Edge (EdgeA).
The problem
This much I know from looking at my Azure server logs:
(1) The login POST is hits a Core 2.2 controller which does the authentication and returns 302 along with a standard Core 2.2 cookie set including the authentication token for the user.
(2) The EdgeAndroid browser receives that, and immediately GETs the location specified.... except this GET doesn't include the cookies from (1), so the Core 2.2 system responds with a 302 back to the login page.
It's a redirect loop.
-> EdgeA is eating my cookies!
I can run this perfectly on the above browsers, and the logs show Edge/Windows for example has the (1)(2) sequence exactly as you'd expect, with the cookie credentials in the second request.
The only thing different is Edge Android. I stripped out all the caching from my service worker for that browser and it's still broken - I think I may need to just not run the service worker for it at all.
... and my questions are:
Does anyone have a PWA which actually works in EdgeA?
Does anyone have any idea what I may have missed? Note it's just this one browser which is broken, hence it may be them not me.
In case it is them not me, is there a place I have not yet googled where I can report defects in this possibly minor-interest browser?
This sounds similar, although that's cross-domain, and my 302 is not cross domain.
I think this was caused by the Edge Android Browser interpreting the display:standalone directive and consequently opening a "stand alone" window, which does not carry over the cookies from the original browser.
The server logs show that the EdgeA client "drops the cookies" when handling a "login successful" 302 response from the standard Core 2.2 login stuff.
My work around is to serve a specific manifest.json to the EdgeA browser, so that it reads display:browser.
At the same time I fixed this MS released a new version of EdgeA, so I can't be 100% sure if my change fixed this or if they actually listened to my whining.
I want to use FirebaseUI in redirect mode, as opposed to the current popup mode I'm using. But I don't want to have a separate dedicated login URL, instead I want the user to be able to log in from any URL (using a custom dialog as the UI container for FirebaseUI).
The problem I run into is that when starting the login process, I show the dialog and the user selects their auth provider, gets redirected to the auth website, but then they are redirected back to the original URL on my website.
Now the UI container dialog is not displayed and firebaseUI.start() doesn't get called because the webpage doesn't know that the user is in the process of logging in. The result is that nothing happens - the user is halfway through the login process.
Is there any way I can specify a URL for the first redirect? I'm not talking about the final signInSuccessUrl config parameter, but something similar for the first redirect back to my website?
That way I'd be able to send the original URL that started the login process along with a flag or something that tells the webpage that the user is in the middle of a login flow so that it can display the login process UI container and call firebaseUI.start() to perform the last redirect.
You can start FirebaseUI from any URL but the underlying signInWithRedirect always return to the same URL. Calling start on redirect will complete the sign in. If you have some condition, where you don't always display the sign in UI, you can use some flag pendingRedirect which you save in sessionStorage and check before rendering the UI to complete the sign-in on return. You would clear that after rendering.
I'm investigating a problem a user is having with a web application that is built using Yii.
The user is not seeing the Yii 'flash' session-based user-feedback messages. These messages are shown once to a user and then destroyed (so they're not shown on subsequent page loads).
I took a look at the server access logs and I noticed something weird.
When this user requests a page there is a second identical request but from a different IP and with a different User Agent string. The second request is often at the same time or is sometimes (at most) a couple of minutes later. A bit of googling leads me to the conclusion that the user is browsing the web using a HTTP Proxy.
So, is this likely to be a HTTP Proxy? Or could it be something more suspicious? And if it is a HTTP Proxy, does this explain why they're not seeing the flash session messages? Could it be that the messages are being 'shown' to the Proxy and then destroyed?
I'm writing a Web Application using ASP.NET 4.0 and C#. In my application when I logout the page redirects to the Default page. But when I click the back button in my browser, it goes back to the Web page that I was working even though I'm logged out.
How do I stop it doing this?
You could set cache headers in authenticated pages to avoid them being cached downstream on the client. Here's an article you may take a look at.
So you could set the following headers on authenticated pages:
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
This could also be done in a custom HTTP module to avoid repeating the code in all pages.
I am making app that takes a screenshot of a URL requested by the user. I want to make it as transparent as possible when sites that require username and passwords are in question.
For instance, if user wants to screenshot its iGoogle page, he will send the server URL but, the screenshot will not be the same as what he sees on his screen.
Is there any way to do this ? I guess that in such cases I will have to actually request screenshot from the user. Perhaps user can even deliver me his cookie for that domain.
Any thoughts ?
Ty.
Yes, in most cases you'll need user's cookies.
If site uses regular cookies, you can create bookmarklet that reads document.cookie. This will not work with httpOnly cookies which are used increasingly often for sessions.
Some sites limit sessions to certain IP, and in that case you can't take screenshot without proxying request through user's computer.
If you can get user to use bookmarlet, an interesting trick would be to read and send DOM to your server:
image.src = 'http://example.com?source=' +
escape(document.documentElement.innerHTML);
For HTTP authentication easiest solution would be to ask user for login/password.