Cross Damain Session Communication - yii

I have two domains pointing to same server, what i am trying to do is when i log in into the application using domainOne.com the session is maintained for that domain , if i try to access the application from other domain domainTwo.com the session is not there.
I want the same session values in both the domains,
I have PHP application [Yii Framework Application], and the requirement is, one third party application wants part of my application content that needs to be authenticated. I authenticate the content using SSO(Single Sign On[JWT]) and pointed their domain to my content(which needs to be shared) using this way, i am able to login using their's(Third party's) domain but when i access the same section using my original domain the session is not there (No Session when using My domain).
What i want is, when i log in using their domain and access the content from my domain it should show me as logged in user
Conditions -
domainTwo.com/someContent - Logged in using this
domainOne.com/someContent - Session is not here
and vice versa
P.S someContent is in my server only.
Please can anyone help?
Thanks in advance..!
edit - Requirement is the client dont want iframes, please suggest methods which dont use iframes.

Related

DNN LDAP Authentication with DNN.ActiveDirectory

I am having some trouble and need some help. I am trying to connect a website to authenticate to Active Directory through LDAP using DNN.ActiveDirectory, but I can only get the "Check Root Domain" portion to pass. Using ldp.exe on the server I am able to connect to the domain controller and query the users on it with the same user name and password I am trying to use with the plugin, and even using my domain admin account makes no difference. I have tried it with every authentication type, changing the root domain (only way that would get the check root domain to pass is the LDAP://domain.local), with/without the domain in front of the username, and with/without the default domain filled out.
I don't have access to the error logs at the moment since I am not at that office yet, so I will get those posted when I can. If I remember correctly the error being logged was an authentication error. LDAP initially wasn't configured on the domain controller so I had to set that up, and admittedly I am not too familiar with it so I followed this guide: https://techcommunity.microsoft.com/t5/sql-server-blog/step-by-step-guide-to-setup-ldaps-on-windows-server/ba-p/385362. I am using the default ports. I stopped before setting up LDAPS, but when I couldn't get that to work I continued through up to the signing the certificate part. I was working on getting the certificate signed when I came across notes that DNN.ActiveDirectory doesn't support LDAPS. My tests with successful connections using ldp.exe were all against port 389. Are there some extra configurations that are needed to get DNN.ActiveDirectory working that weren't covered in that guide, or any common snags I should be aware of?
DNN.ActiveDirectory has not been maintained for a while, and does not support LDAPS afaik - see Checking Root Domain step fails.
My recommendation is to have a look at AD-Pro Authentication.

Asp.net MVC core prevent multiple device access on certain pages

My whole system allows one user accessing from multiple devices at the same time. However, some certain pages don't allow it. When user access the page from device 1, later he accesses from device 2, the second device needs to access normally. However, the first device should be redirected to another page (user is still logged on both devices).
I'm using ASP.net core identity for managing identity.
After reading, I think I can use SignalR in this case. Whenever user access from device 2, he will send a message to server. Server will push a message to device 1 and device 1 will redirect. However, it doesn't look good because the redirection is made from client (device 1). That means device 1 can easily refuse redirecting by tamper client code on its side.
What's the proper way to solve my issue?
When user access the page from device 1, later he accesses from device 2, the second device needs to access normally. However, the first device should be redirected to another page (user is still logged on both devices).
To achieve above requirement, as you mentioned, integrating SignalR functionality into web app is a possible solution.
You can retain information about UserName - UserConnectionId(s) - PageName, then can call hub method to check if the connection Id (and current page name) is different with existing connectionId (and page name) within the retained mapping data and push message to specific client based on connection Id to trigger client side redirection.
it doesn't look good because the redirection is made from client (device 1).
Yes, client user may disable signalR javascript client functionality to prevent the redirection. As a workaround, can double check on server side.
For example, you can store above mapping data UserName - UserConnectionId(s) - PageName in some permanent storage, then you can check it inside controller action (or handler method) code logic, if current user disabled javascript client functionality manually and no mapping data of current user added in that storage, you can redirect user to a specific page that shows content like "signalR javascript client functionality is required for this app, please not disable it" instead of showing the page user expect.

Cognito login and track referral source

I'm using Amazon Cognito with the Built-In login page. I'd like to provide a link where I can customize my site after the user logs in based on where the user is coming from.
If I change the redirect_uri to a page that is different than configured in the App client settings I'll get a redirect_mismatch error.
If I add a query param it does not preserve it.
https://auth-local.auth.us-west-2.amazoncognito.com/login?response_type=code&client_id=<myid>&redirect_uri=http://localhost:4201/after-login&TEST_QUERY_PARM=1
Goes to:
http://localhost:4201/after-login?code=[code]
There is no TEST_QUERY_PARM that I set in the redirect_uri.
Is there any way I can track where it came from?
-
EDIT: I'm using AWS Chalice/Lambda for backend server
Did you try to configure two application clients each with its own callback URL.
So to track calls from different sources you will do something like:
?response_type=code&client_id=<myid_1>&redirect_uri=<myurl_1>
?response_type=code&client_id=<myid_2>&redirect_uri=<myurl_2>
or you can actually configure several callback URLs for one App Client by separating them by a comma.

How do I access Google Drive Application Data from a remote server?

For my application I want the user to be able to store files on Google Drive and for my service to have access to these same files created with the application.
I created a Client ID for web application and was able to upload/list/download files from JavaScript (client side) with drive.appfolder scope. This is good, this is half of what I want to do.
Now I want to access the same files from Node.js (server side). I am lost as to how to do this. Do I create a new Client ID for the server? (if so, how will the user authenticate?) Do I pass the AuthToken my user got client-side and try to use that on the server? I don't think this will work as the AuthToke is time-sensitive (and probably not intended to be used from multiple IPs).
Any direction or example server-side code will be helpful. Again, all I want is to access these same files the user created with my application, not any other files in the user's Google Drive.
CLARIFICATION: I think my question boils down to: "Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Do I create a new Client ID for the server?
Up to you. You don't need to, but you can. See below.
if so, how will the user authenticate?
Up to you. OAuth is about authorisation, not authentication.
Just in case you meant authorisation, the user authorises the Project, which may contain multiple client IDs.
Do I pass the AuthToken my user got client-side and try to use that on the server?
You can do, but not a good idea for the reason you state. The preferred approach is to have a separate server Client ID, and use that to request offline access, which returns (eventually) a Refresh Token, which you store in your server. You then use that Refresh Token to request Access Tokens whenever you need them.
AuthToken is ... (and probably not intended to be used from multiple IPs).
It is not bound to a specific IP address
Is it possible to access the same Application Data on Google Drive both client-side and server-side?"
Yes
Most of what you need is at https://developers.google.com/accounts/docs/OAuth2WebServer

Integrated Authentication on Webserver - Security?

We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.