I am using Devise to manage authentication in a Rails 3.1 application. It works just fine in my production server. But I just set up a new test server, and if I log in to the main site, accessing a subdomain is not recognizing the session. It's asking me to log in again.
I can't recall where I would troubleshoot this information. It seems as if it is some cookie setting.
I have domains pointed to each site, production and test. The production one ends in .net, the test version ends in .co.
Can anyone point me in the right direction?
I think this is not a devise setting but a session and cookie setting.
You can work on this by setting the variable YourApp::Application.config.session
You can do this in your environment.rb file or your config/initializers/session_store.rb. Example for session_store.rb is
YourApp::Application.config.session = {
:session_domain => '.yourdomain.com',
:session_key => '_yourapp',
:expire_after => 14*24*3600,
#:secure => true, #for secure/ssl sessions and such
:secret => 'somesecretgobledygook'
}
Please note the session_domain setting it to .yourdomain.com makes your cookies work across subdomains.
This applies to sessions. There are similiar settings for cookies.
Related
I want to set up multiple webapps in my domain. I am using VS2022 solution with multiple projects and shared class libraries to keep things together.
I would prefer that if I log in into the app, and navigate to any of the others, I would also be logged in into that app automatically, and off course logging out, the same effect.
At the moment, I can log into app 1, go to app 2 and log in there, but when I return to app 1 I am logged out.
Currently in my startup I have the following
services.ConfigureApplicationCookie(options =>
{
options.Cookie.Name = "AspNet.SharedCookie";
options.Cookie.Path = "/";
options.Cookie.Domain = "localhost"; // "*.example.com";
options.Cookie.SameSite = SameSiteMode.Lax;
});
services.AddAuthentication("AspNet.SharedCookie");
Identity platform is Microsoft.Identity from sql server. I dont think there is any issue there as I am succesfully loggin in/out everywhere.
services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = false)
.AddRoles<IdentityRole>().AddEntityFrameworkStores<ApplicationDbContext>();
My apps running currently localhost:1000, localhost:2000, localhost:3000 etc but this would eventually become app1.example.com, app2.example.com etc.
The AspNet.SharedCookie is available on all sites, but obviously changes based on the current app.
I even though changing the app Id but I dont think thats a good idea, besides, had no effect.
<PropertyGroup>
<TargetFramework>net6.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<UserSecretsId>aspnet-DEV.app1-USE THIS SAME ID IN ALL APPS</UserSecretsId>
</PropertyGroup>
How do I get this right to keep all apps standard with there own log in identity, but switching apps should keep that login info?
Thanks for your sharing, and I solve the issue by adding the code below.
services.AddDataProtection().PersistKeysToFileSystem(new DirectoryInfo(#"c:\temp-keys")).SetApplicationName("testapp");
Test Result:
My Code
I am at a crossroad where I have the "solution" but I am not sure its the best approach.
Part of my application is oAuth login and I want to test that too (Acceptance).
I have bogus accounts for my oAuth providers that i'll be using to Login. Problem is Cookies.
I am using Phantomjs. Even if I use clear_cookies: true on my yml file I have this problem where my test cannot login because Google remembers me.
The test is quite simple:
public function login_with_oauth(AcceptanceTester $I)
{
$I->amOnPage('/auth/logout');
$I->amOnPage('/');
$I->click(['id' => 'login']);
$I->click(['id' => 'btn_login_google']);
#$I->fillField(['id' => 'Email'], $this->login);
$I->fillField(['id' => 'Passwd'], $this->password);
$I->click(['id' => 'signIn']);
$I->waitForText($this->name);
$I->seeInCurrentUrl('/home');
}
First time it works, second it does not because Google remembers the logged in user so it doesnt show the login and password boxes anymore.
If I hit the google logout url (accounts.google.com/logout) it logs the user out, but the next time I try to login it will remember my EMAIL (thus not my password), the email field will be greyed out (disabled) so Codeception can't fill it and goes bananas.
Even if clear_cookies: true worked I would run into a problem where, for all my other test Cests that share the same Session, I would have to login _before(), which would add about 20% more time to run the tests.
The solution I've came up with: is to simply restart phantom before each test. Since phantom is managed by supervisord it is as easy as having a alias in my ~/bashrc, like so:
alias codecept=' supervisorctl stop phantomjs && supervisorctl start phantomjs && vendor/bin/codecept'
That way I can keep my cookies between each test and I can make sure my oAuth providers cookies are also cleared.
I also tried restarting phantom from within php on the __construct of the oAuth cest but that makes Codecept throw some weird errors.
Any ideas?
Thanks and best regards.
Authentication persists nicely across my subdomains on my localhost thanks to help I received here. But now I'm having trouble my remote server. I changed 'domain' => '.mydomain.com', in session.php and now I can't log in at all. Actually, Auth:attempt() works just fine but it fails my auth filter when it then attempts to load the next page. Here's the code in my filter:
if ( Auth::guest() ) return Redirect::guest('login');
To me this means that sessions aren't working at all. And that line that I changed in session.php is definitely the culprit, because when I change it back to 'domain' => null, I can log in just fine... it just doesn't persist across subdomains. Any ideas on getting laravel to remember sessions across my subdomains?
Do all of this login testing in private windows, as old persisting cookies can really screw you up.
I am migrating from grails 2.2.2 to grails 2.3.4 to avoid a bug in 2.2.2 where the text value in the spring security property messages where not displaying, but I am running into all sorts of issues. Stuff that worked before, now it does not.
PROBLEM
When I run the grails app, the initial default page is index.gsp which is standard functionality but after installing and configuring the spring security core, spring security ldap, and spring securiy ui plugins I would like to make the /login/auth my default page.
In the previous release, I had it done via the UrlMappings.groovy config file by simply commenting, replacing or deleting this line
"/"(view:"/index")
for this one
"/"(view:"/login/auth")
My Config.groovy is set so that if the authentication is successfull to take me to the home page
grails.plugin.springsecurity.userLookup.userDomainClassName = 'security.Person'
grails.plugin.springsecurity.userLookup.authorityJoinClassName = 'security.PersonAuthority'
grails.plugin.springsecurity.authority.className = 'security.Authority'
grails.plugin.springsecurity.requestMap.className = 'security.Requestmap'
grails.plugin.springsecurity.securityConfigType = 'Requestmap'
grails.plugin.springsecurity.successHandler.defaultTargetUrl = '/home/'
and my Requestmap entries in the Bootstrap (if they are of any importance for this issue are as follows):
for (String url in [
'/', '/index', '/index.gsp', '/**/favicon.ico',
'/**/js/**', '/**/css/**', '/**/images/**',
'/login', '/login.*', '/login/*',
'/logout', '/logout.*', '/logout/*']) {
new Requestmap(url: url, configAttribute: 'permitAll').save()
}
new Requestmap(url: '/home/*', configAttribute: 'IS_AUTHENTICATED_FULLY').save()
It turns that when i do that... Eureka the login/auth comes as soon as the application is started but when I put the correct authentication credentials it does not seem to authenticate, it does does a 'slight little flicker' and it shows itself again.
However, If I delete this line
"/"(view:"/login/auth")
and put this one back in
"/"(view:"/index")
and then when I restart the application I manually to login/auth and put the correct credentials then it correctly takes me to the home page.
QUESTIONS
Did I miss any config setting anywhere that would make the login/auth the first page (but also allowing me to authenticate)?
I am not sure if this should be a separate posted question, but now by design the login page it's part of the plugin, before it was generated by and part of my code and I could style at my will. Do I have to copy paste the LoginController and the Auth.gsp in my app in order to customize the view or is there a better preferred way?
Thanks in advance.
The authentication mechanism in Spring Security works by keeping track of a referral URL when the login page is shown. And then redirecting to this page on a successful login. If you want the login page to be the first page people see just make the root view require authentication. I'm assuming most, if not all, of your application requires authentication. If this is the case, you don't need to make the login page the root view. Assuming everything under /home/* is locked down then Spring Security will detect that and immediately redirect to the login page when any of the secured pages are requested.
Long story short, you're making it harder than it needs to be.
As to your second question, I do believe you just need to create your own versions of those files in your app to customize them.
Hey I'm not pretty sure about your problem but you can try making the default login url /login/auth by
grails.plugin.springsecurity.auth.loginFormUrl = '/login/auth'
Project which I am currently working is developed using ZF and dojo.
For our Development and Production server we have basic user authentication which is handled using apache's virtual host config file (by having users and password files).
When we type the server URL, it will pop-up the authentication window. It is working well.
We have following controllers in our project.
Index
profile
Error
Signoff
But now our client has come up with a new requirement that only for "Signoff Controller", they would like to allow access to everyone in the network without any authentication.
But if they try to access other controllers it should ask for user authentication.
Kindly let me know your thoughts about solving this issue either by using .htaccess( apache URL rewrite ) or ZF classes if any.
You should probably try to set this up in Zend as it will give you a more flexible setup.
// just a simple example to get you started
$config = array(
'accept_schemes' => 'basic digest',
'realm' => 'My Web Site',
'digest_domains' => '/members_only /my_account',
'nonce_timeout' => 3600,
);
$adapter = new Zend_Auth_Adapter_Http($config);
Check out more on the Zend Manual on different types of auth.