I am trying to implement a login page with symfony2 and for that I am using my own custom user provider.
The problem is when the user enters his credentials, he will not be recognized. By that, I mean the debug bar at the bottom says "You are not authenticated." and $request->getUser() will return null. But the strange thing is that the user will still be allowed to visit the pages that need him to log in.
I don't think the problem is with the authentication, since when I enter a wrong password, I get warned about it, but when I enter the correct one, I get redirected to the first page (but it still says "You are not authenticated.")
Do you know where I should be looking for the problem?
I have attached my security.yml file in this pastebin and routing.yml in this one.
Here is the code for my custom user provider.
And This is the User class definition.
EDIT: Here is the var_dump of my get('security.context')->getToken(). The funny thing is that authenticated is true, but getUser() is still null and the debug bar says I am not authenticated.
object(Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken)#46 (6) {
["credentials":"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":private]=>
NULL
["providerKey":"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":private]=>
string(11) "system_area"
["user":"Symfony\Component\Security\Core\Authentication\Token\AbstractToken":private]=>
NULL
["roles":"Symfony\Component\Security\Core\Authentication\Token\AbstractToken":private]=>
array(2) {
[0]=>
object(Symfony\Component\Security\Core\Role\Role)#45 (1) {
["role":"Symfony\Component\Security\Core\Role\Role":private]=>
string(10) "ROLE_ADMIN"
}
[1]=>
object(Symfony\Component\Security\Core\Role\Role)#44 (1) {
["role":"Symfony\Component\Security\Core\Role\Role":private]=>
string(9) "ROLE_USER"
}
}
["authenticated":"Symfony\Component\Security\Core\Authentication\Token\AbstractToken":private]=>
bool(true)
["attributes":"Symfony\Component\Security\Core\Authentication\Token\AbstractToken":private]=>
array(0) {
}
}
In order to get the current User you have to use:
$this->get('security.context')->getToken()->getUser();
In order to check if the current User has a certain role use:
$this->get('security.context')->isGranted('ROLE_USER')
I managed to fix the problem. It was because of the dummy code I had used in place of serialization of User objects. I replaced it with real code and problem was gone.
Related
I have a web application that employees log in to do stuff. What Im trying to achieve is: When a user logs in from a computer, if he is already logged in on another computer, that must be logged out. The web app is MVC Asp.Net Core 2.2 Code first. I have added a signInManager in startup and edited the PasswordSignInAsync method. I login the system from two different devices. When I click something on the screen from the first computer that I loggedin, it redirects to logout. It seems like working. But Im not sure if this is the right way of doing this. The code I added is: await UserManager.UpdateSecurityStampAsync(user); Inside PasswordSignInAsync method.
Inside the startup class ConfigureServices method I added
'services.AddIdentity<ApplicationUser, ApplicationRole>()
.AddSignInManager<SignInManagerX>()'
Then in SignInManagerX class which is inherited from SignInManager I overrided the PasswordSignInAsync
public override async Task<SignInResult>
PasswordSignInAsync(ApplicationUser user, string password,
bool isPersistent, bool lockoutOnFailure)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
var attempt = await CheckPasswordSignInAsync(user, password,
lockoutOnFailure);
//Here is added
if (attempt.Succeeded)
{
await UserManager.UpdateSecurityStampAsync(user);
}
//Add end
return attempt.Succeeded
? await SignInOrTwoFactorAsync(user, isPersistent)
: attempt;
}
Is this the right way ? or I should add a table to db for logins which holds the info if the user is already logged in on another Ip. Then Logging out that user from all computers if the last and current login attempt is true ?
Yes , the primary purpose of the SecurityStamp is to enable sign out everywhere.
The basic idea is that whenever something security related is changed on the user, like a password, it is a good idea to automatically invalidate any existing sign in cookies, so if your password/account was previously compromised, the attacker no longer has access.
Reference : https://stackoverflow.com/a/19505060/5751404
You can set validateInterval to TimeSpan.Zero for immediate logout .
I have successfully implemented group based authorization in an MVC application by using the [Authorize(Roles = "Admin")] tags in my controller.
However, the default behaviour when a user requests a page they are not authorized to view is to redirect them to the login page. This far from intuitive, and causes too much confusion amongst users who will repeatedly try to login.
Instead I would like to display a custom screen, or at the very least have a message display on the login screen stating that they are already logged in, but with insufficient privileges.
A User.Identity.IsAuthenticated tag exists, which can be used in the base logic, but there doesn't appear to be a similar IsAuthorised tag.
How can this behaviour be implemented?
I believe you have already partly solved your problem. This because because when authorization fails, the user will be redirected to login page. Verify if the user is authenticated before displaying the login view. If they are authenticated re-direct them to appropriate page instead.The code snippet below will not display login view if the user is authenticated and the cookie has not expired. They will be redirected to "DashboardOrSomeOtherView.cshtml" instead
[HttpGet]
public ActionResult Login(string returnUrl)
{
// Before showing login view check if user is authenticated.
// If they are redirect to suitable page,
// and print appropriate message
if (ControllerContext.HttpContext.User.Identity.IsAuthenticated)
{
// You can even use TempData as additionally, to hold data here and check in
//the view you redirect to if it is not null and is true ,
// then they are authenticated and show some message,
// e.g. You have been redirected here because you do not
// have authorization to view previous page.
TempData["UserAlreadyAuthicated"] = true;
return RedirectToAction("DashboardOrSomeOtherView");
}
// If they are not authenticated , show them login view
return View();
}
In the DashboardOrSomeOtherView
<div>
<h1>DashboardOrSomeOtherView</h1>
#{
if(TempData["UserAlreadyAuthicated"] != null && TempData["UserAlreadyAuthicated"].ToString().ToLower() == "true")
<div>You have been redirected here because of inadequate authorization</div>
}
</div>
I am experimenting with Grails 3 Interceptors. Given the following interceptor:
class AuthInterceptor {
AuthInterceptor() {
matchAll().includes(controller:"account")
}
// Intercept anything under /account.
boolean before() {
User user = SimpleSecurityUtils.getCurrentUser()
if(user != SimpleSecurityUtils.anonymous) {
// Only get here if the user is currently authenticated. Redirect them to where they want to go.
true
} else {
redirect(controller: auth, action: signin)
true ??
}
}
boolean after() { true }
void afterView() {
// no-op
}
}
matchAll().includes(...) doesn't actually exist on the Matcher object. So how do I actually say "only intercept requests to the AccountController"?
If you follow the auth logic, if the user is currently anonymous (not logged in), I want to redirect them to the AuthController#signin action, which will present them with a login screen. It doesn't appear that the redirect(...) closure is available to interceptors...so how do I perform this redirect safely? Furthermore, how do I "save off" the URL we are currently intercepting so that, after successful login, the user can yet again be redirected to the originally-requested URL?
I say safely above because I've had issues with Grails CannotRedirectExceptions being thrown if too many redirects keep getting tossed around, and those errors are usually assuaged by returning after performing a redirect per this previous answer.
For #1, match( controller: "account" ) should do the trick. Don't know the answer to #2.
Recently I have decided to add a "remember me" feature to my Laravel 4 app.
Appropriate method with syntaxis was found:
Auth::attempt(array $credentials = array(), $remember = false)
This was adopted for my needs like so:
Auth::attempt($userdata, Input::has('remember'))
Application kept the Auth session, and the user was authenticated even after browser was closed.
Although, I have found out that now Laravel always keeps a user authenticated, no matter what state "remember" checkmark is.
I have tried to do:
Auth::attempt($userdata, false)
and
Auth::attempt($userdata,)
User was still authenticated across the browser sessions!!!
Now, since Auth::attempt($userdata) not keeping the auth session, I felt that whenever there is an indications of the second argument in Auth::attempt method, Laravel auto assumes it as "true".
Can anyone clarify that?
EDIT:
To make it a super clear to everyone, I will list the steps to recreate this behaviour:
Logout of the app Auth::logout();
Login again Auth::attempt($userdata, false)
Close and open the browser
Go to the app url.
Application is loaded authenticated
This is my first question here, so please, be patient with me :)
EDIT : OP made clear he called Auth::logout() properly, so answer is edited to include the "Real" answer.
Set lifetime value in app/config/session/php to 0 to make cookie clear on browser close.
Previous answer
This is the login method in Illuminate\Auth\Guard (Which is facaded to Auth) class, which is eventually called by Auth::attempt().
source : http://laravel.com/api/source-class-Illuminate.Auth.Guard.html#263-291
public function login(UserInterface $user, $remember = false)
{
$id = $user->getAuthIdentifier();
$this->session->put($this->getName(), $id);
// If the user should be permanently "remembered" by the application we will
// queue a permanent cookie that contains the encrypted copy of the user
// identifier. We will then decrypt this later to retrieve the users.
if ($remember)
{
$this->queuedCookies[] = $this->createRecaller($id);
}
// If we have an event dispatcher instance set we will fire an event so that
// any listeners will hook into the authentication events and run actions
// based on the login and logout events fired from the guard instances.
if (isset($this->events))
{
$this->events->fire('auth.login', array($user, $remember));
}
$this->setUser($user);
}
It is clear that even though the cookie is set when $remember is set to true, the cookie itself is not cleared when $remember is set to false or other non-truthy value.
The cookie is cleared when you call Auth::logout() function.
In our app we had some actions that we required the user to reauthenticate before proceeding. We used code like below to make this happen.
FB.login(
function(response) { /* code here */ },
{auth_type: 'reauthenticate', auth_nonce: '...'}
);
It looks like the auth_type option is no longer supported, because I am getting the following log message: 'FB.login() called when user is already connected.' and the user is not being asked to reauthenticate.
Does anyone have any ideas how to reauthenticate after the changes for OAuth 2.0?
It appears that, for the time being (and I qualify that because Facebook seems to change their API response on a whim), you can get auth_type: reauthenticate to work properly IF you also specify permissions (the scope parameter in OAuth 2.0). Check out this example:
http://www.fbrell.com/saved/a78ba61535bbec6bc7a3136a7ae7dea1
In the example, click Run Code, and then try the "FB.login()" and "FB.login() with Permissions" buttons. Both are coded to use auth_type: reauthenticate, but only the latter actually gives you the FB prompt once you are logged in.
Here are the relevant examples:
// DOES NOT PROMPT
document.getElementById('fb-login').onclick = function() {
FB.login(
function(response) {
Log.info('FB.login callback', response);
},
{ auth_type: 'reauthenticate' }
);
};
// PROMPTS AS EXPECTED
document.getElementById('fb-permissions').onclick = function() {
FB.login(
function(response) {
Log.info('FB.login with permissions callback', response);
},
{ scope: 'offline_access', auth_type: 'reauthenticate' }
);
};
So, the answer is, Yes, auth_type: reauthenticate DOES work, but ONLY if you also specify a valid scope parameter. (And yes, I tried it with an empty scope, and it acted the same as not using scope at all.)
You can use an iframe to make sure the cookie is always valid.
facebook auto re-login from cookie php
Using FacebookRedirectLoginHelper::getReAuthenticationUrl everything works fine.
Internally the method put 'auth_type' => 'reauthenticate' and pass also all the permissions required.
Now the issue is that only prompt to the user to re-enter the password without the possibility to "switch" between users or without the possibility to insert also the username.
Does someone found a solution for this issue?
I manage an application with multi accounts and when the user need to generate again the token this is an issue :(
Thanks, Alex.