I am using the saveToken / isTokenValid in a very old struts application. I have been able to implement the saveToken and isTokenValid attributes to prevent a CSRF attack, but if I press the BACK BUTTON then try to submit the same form I hit my error. Is it possible in struts to prevent a CSRF attack using these utilities but allow the ability to go back and resubmit a form?
I was over thinking CSRF and resetting the token on each page, which means the old tokens were invalid. I instead only save the token once and reset it only where it needs to be.
Related
I'm new to Nuxt, but I have a bootstrap header with the standard v-if="authenticated" kinda state for login\logout buttons.
The auth provider is firebase which has a onAuthStateChanged method that I use to set (or reset) the user property in the state store.
So page loads, I see the login button, onAuthStateChanged runs, sets the user, then login disappears and logout button shows up (can see the Vuex events from base->set as well).
Question is, what am I doing fundamentally wrong such that I'm getting this flashing state. Is the only way to handle this to work with localStorage? ...should I NOT be storing the user in the state.store?
You need to save it in the store. But make no mistake because when reloading you have to set the token value using localstorage.
These are very good explanations
I am building a basic login page using the existing sign-in portlet.
I just want to have a functionality that when a user access the website, right now localhost:8080, the sign-in portlet should pop up!
Is this doable? If so, Can someone please hint me how this can be done?
This is how the default page looks like right now:
To log in, I have to explicitely click on the "sign-in" blue button and then it pops out a modal sign in portlet.
But what I am trying to do here is:
Whenever a user clicks on the default url, it should immediately ask the user to login rather than showing a blank page with a sign-in button (something like the output image)
Or even a modal sign-in box (Whatever is easy to customize.)
and
Whenever a user hits any other url for eg. localhost:8080/web/project1/home and if the user is not signed in, it should force him to sign in first.
Two possibilities out of the box:
place nothing but the sign in portlet on the homepage, appearing at that location (typically /web/guest/home)
protect your default page to be not visible to the guest user (this will automatically forward to the sign-in portlet) - see the "Permissions" button on the "Manage Pages" interface
There are more, but these seem to be the first and most obvious ones. Let me know if one of them works for you or what the reason for your request is
From what I understand, you want the Login Portlet to popup as a modal window/lightbox on the current page (i.e. without leaving the page). AFAIK, to achieve this, you'll have to develop all your portlets to use AJAX to create links that point protected resources. So when you get an unauthenticated request, you can stay on the same page and show login dialog.
This is high-level approach. You'll need to 1) embed the Login portlet in your theme and 2) put the below javascript functionality in Theme:
callback function - to handle response for unauthenticated request,
to render modal/lightbox
You might face surprises while implementing this.
Suppose I'm building a login system. The user enters a username and password into a field and it is sent via HTTPS to the server, which validates the login before the page loads. If a bad password is sent, the login obviously fails immediately, but one would want the error message to be displayed later in the page, near the login box.
The obvious solution is to set a global flag and have the login box check it and add the error message if necessary, but my understanding is that global variables are best avoided. Is there another straightforward method of achieving this functionality?
For a non-AJAX login page, it is common practice to redirect the user browser to the login page with an extra query parameter in the url, In pseudo-code, here is the login validation controller code segment:
success = checkLogin(username,password)
if (success == false)
redirect('http://example.com/login?failedlogin=true')
The login page controller would be responsible for detecting this query param and telling the view code to display a failure message. I don't believe the term 'global flag' applies to this practice so it should meet your requirements.
If the login page uses Ajax, the Javascript on the login page takes the results of the AJAX call and updates the appropriate DOM elements with the failure message.
While I posted a form from iframe in safari, it gives Invalid Authenticity Token exception. If I try without iframe, then it works fine.
Why it is happening? How can I fix this?
The authenticity token is a mechanism that rails uses to protect users from CSRF attacks. Here is a good explanation, taken from Understanding the Rails Authenticity Token
When the user views a form to create, update, or destroy
a resource, the rails app would create a random authenticity_token,
store this token in the session, and place it in a hidden field in the
form. When the user submits the form, rails would look for the
authenticity_token, compare it to the one stored in the session, and
if they match the request is allowed to continue.
So basically, for any action that would modify your model rails wants to verify that it is a change originated by you.
Rails does that (through the use of form_for or form_tag helpers) by adding that secret authenticity token to the form with a html tag like this: <input name="authenticity_token" type="hidden" value="Som3Thin10ngAndUGly">
Back to your problem: I've never worked with iframes so I'm not sure what's happening, but my guess is that your iframe form is not passing the authencity_token. If this is the case the solution is simple, just add a hidden input like the one above and use the form_authenticity_token method to set its value.
I've noticed that when I refresh the page twice in a row or double click on a link, the user is automatically logged out. I'm using cakephp 1.2 and the Auth component. I don't have a lot of experience with CakePHP, any ideas what could cause this?
You probably have Configure::write('Security.level') set to 'high'. In that setting, the Session ID is being regenerated on each request. When you refresh the second time with the same old Cookie that has an old Session ID, it won't be valid anymore.