I need to maintain a session for session credentials throughout the web pages I have made. I have next to no experience using OWA_COOKIE and am unsure how to go about it.
I just need it to maintain the session, Finish session if
inactive for 15 mins OR 2. they log out
I have had a whirl at it and this what I have but it doesn't work and am at a lose, can someone help or point me in the right direction?
FUNCTION maintain_session_cookie
AS
TYPE vc_arr IS TABLE OF varchar2(4000)
INDEX BY BINARY_INTEGER.
TYPE cookie IS RECORD (
NAME varchar2(4000),
vals vc_arr,
num_vals integer);
BEGIN
owa_util.mime_header('', FALSE);
owa_cookie.send(
NAME=>'Session_Cookie',
VALUE=>LOWER(),
expires => SYSDATE + 365);
-- Set the cookie and redirect to another page
owa_util.redirect_url();
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
I have been just fiddling to see how it works and provide the functionality that I need.
First of all, it is a quite awkward way to set session lifetime by cookies. You can setup the parameter timeout-secs in either web.xml or weblogic.xml (see Oracle docs).
Your both requirements should be processed by the HTTP server, that's my point of view.
Now, let's say you still want to use cookies (maybe you do not use WebLogic or another reason, whatever). You will face following problems:
You will need to specify these cookies on every page you will display to the user, and not only pages, every ajax call should also have the cookies. So, everything which shows user activity should have this cookie.
Expires parameter should, obviously, be sysdate + interval '15' minute, then your cookie will work exactly for 15 minutes and if you do like it is written in point 1 the cookie will be lost only if there is no activity.
You will have to close the session by yourself if the cookie is not more presented in HTTP request, this is an additional problem.
The thing I want to say is: do it with server configuration and not with cookies. This will save your time and nerves.
Related
I have been using Google calendar API to insert events in user's calendar. I have written a code which takes csv(with approx 1000 rows) as an input with minimum required parameters to create events such as event_title, event_description, event_date (since its a full day event) and recipient email id..The code runs in background using sidekiq.
Out of 1000 rows , only some events are inserted in user's calendar. Most of them are giving Rails -- [API Error]: -- {:error=>["Excon::Error::Forbidden", "Expected([200]) <=> Actual(403 Forbidden)\n"]} error.
I have been using excon client (gem) to hit the urls to refresh token and inserting an event.
Token is refreshed
Loop (
Hitting API to insert events
)
rescue error
end
I couldnt figure out what's going wrong ?..Any help is appreciated. While registering my app in Google developer console , I have given the full scope of calendar api auth/calendar.
I tried setting Excon.defaults[:ssl_verify_peer] = false.
Implementing such api first time.
The 403 would indicate that the permissions are not valid in some way. My guesses would be that either the token is expiring, you are hitting some kind of rate limit, or something is different about the parameters for the failing request such that the particular event is not allowed.
Do you think any of those is more likely than the others? If it is the token expiring, you could try to catch the 403 error, refresh the token, and retry. If it's one of the others it might take a bit more digging to see why the ones that are failing are different from the ones that succeed.
I'm a newbie with jMeter. I would to ask opinion and guide from forum to point me to right direction. I've have been tasked to do Load test on API Update Password. I have try several approach I can think off plus with the info from internet, but failed to have successful execution.
Below is my most successful approach but still failed after 3-5 minutes execution.
Test Plan
CSV Data Set Config - (Default setting, contain 500 member id's)
Thread Group (Setting: 100vu/100s, Loop: Infinite, Duration: 1 hour)
Counter1 (Old Password) example: abc001
Counter2 (New Password) example: abc002
Http Request (Get Token) {
Old Password
Member Id } --> Send token to next http request
Http Request (Update Password) {
Old Password
New Password
Confirm New Password }
The both Counter have increment of 1 and checked for Track counter independently for each user.
Based on my logic, it should be able to handle the execution as below.
Member1 (abc001,abc002) > Member1 (abc002,abc003) > Member1 (abc003,abc004) > etc
But in reality if failed. I also have try using JSR223 for counter, but still failed. Please help me by pointing me to correct direction how to execute this. I hope anyone can help! Thanks
In its current form your question doesn't make a lot of sense, it's unclear to me what is expected behaviour, what is the actual one, how exactly your test is failing and so on.
Try running it with Debug Sampler added so you would see the JMeter Variables with their respective values.
If it doesn't help - come up with a minimal test plan which shows the issue you're having using i.e. Dummy Sampler and indicate what's wrong and how it should behave according to your expectations.
When a user's password is updated I want the Security stamp value to be updated every time that happens. I believe that is how Security stamp works from my research.
I place this code in the ApplicationUserManager.cs but this isn't working:
private static string NewSecurityStamp()
{
return Guid.NewGuid().ToString();
}
What and where do I need to get the security stamp value to change each time an update is made to the user's account?
That is what happens. However, the security stamp is only re-validated on an interval (every 30 minutes, by default), to reduce the number of database queries being made. You can lower this interval, even to zero, which effectively makes the stamp be re-validated with each request. However, that will increase the chatter back and forth to the database.
services.Configure<SecurityStampValidatorOptions>(o =>
{
// WARNING: this will issue a query for every request
// You might want to rather just compromise with an interval
// less than 30 minutes (5 minutes, 10 minutes, etc.)
o.ValidationInterval = TimeSpan.Zero;
});
An alternative option is to simply log the user out after such a change. If the goal is to simply make them re-login, that should do the trick much better. Just inject SignInManager<TUser>, and then call SignOutAsync on that instance. You'll need to redirect the user afterwards. That could be directly to the sign in page or to some area of the site that is protected, which will then cause them to be taken to the sign in page to authenticate. In either case, a redirect is necessary to have the auth cookie actually be deleted.
using keystone LocalFile type to handle image uploads. similar to the Cloudinary autoCleanup option, I want to be able to delete the uploaded file itself, in addition to the corresponding mongo entry when deleting entries through the admin ui.
in this case, I want to delete an "Album", and it's corresponding album cover.
Album.schema.pre('remove', function(next){
var path = this._original.album_cover.path + "/" + this._original.album_cover.filename
fs.unlink(path, function () {
console.log('deleted');
})
I get "CSRF failure" when using the fs module. I thought all CSRF protection was handled internally with Keystone.
Anyone know of a better solution to this?
Took a 10 minute break and came back and it seems to be working now. I also found this, which seems to be the explanation.
"Moreover double check your session timeout. In my dev settings the session duration is set to 3 minutes. So, if I end up editing something for more than that time, Keystone will return a CSRF error on save because the new session (generate in the meantime) invalidates the old token."
https://github.com/keystonejs/keystone/issues/1330
My thinking was that Symfony2 would extend the ExpireAt on each page request made during the authenticated session. So if the timeout was 100 seconds and you made a page request, the new ExpireAt would be time() + 100. This "use it or lose it" authentication functionality is similar to what you get on a banking website.
The default functionality seems to be when the session timeout is set to 100 in the config.yml, the user only has 100 seconds to do what they can.
I don't think this will be to hard to implement but where should it be done? My first guess is in the isEqualTo method. Once you can determine the user is authentic you can re-up their expireAt. Or does the cookie need to be modified?
The answer lies in the refreshUser method of the UserProvider and the isEqualTo method of the UserClass.
The isEqualTo method tells the user provider whether to refreshUser(UserInstance user).
Step1 : isEqualTo() returns false; (as your understanding grow, so can this logic. But essentially, this triggers refreshUser().
In all the basic user provider examples, the refreshUser & loadUserByUsername are identical. The to do what I'm talking about, the refreshUser() needs to be a little different.
Step2 : modify refreshUser(UserInterface $user). What's being passed into this method is the original userClass. So the refreshUser is responsible for syncing the expiresAt or credentialsExpireAt
I use this logic in my refreshUser() to either extend the expiration date OR set it to the original expiration date (which is expired):
if( time() > $user->getCredentialsExpireAt() ){
$refreshedUser->setCredentialsExpireAt( $user->getCredentialsExpireAt() );
}