I'm using the Auth module for managing users inside Kohana.
When I use the login($username, $password, $remember) method it succeeds validating the user but then when I ask if the users is logged in (logged_in() method) it returns false.
What am I missing here?
Thanks in advance.
The only thing logged_in does for the default Auth driver is check if there is an active session with a proper key that points to a logged in user.
Your question is too global to be able to give a direct answer, but it might be that the problem stems from improper Cookie settings. Your session will always be saved in a Cookie and if the cookie path and/or domain are not properly setup, then the session will be invalid and Auth::instance()->logged_in() will return false.
Check this link for setting up cookies in Kohana: http://kohanaframework.org/3.2/guide/kohana/cookies
Related
I am working om using Auth0 has authentication for services. I have the following problem. I have created a user but when I try to make a request with that user I get the following error.
Authorization server not configured with default connection
I have researched this and found I need to Configure the tenant
The Resource Owner Password Flow relies on a connection that is capable of authenticating users by username and password, so you must set the default connection for the tenant.
Go to Auth0 Dashboard > Tenant Settings, and scroll down to locate the Default Directory setting.
Enter the name of the connection you would like to use. Make sure it is capable of authenticating users by username and password.
But I have on idea what they mean by Default Directory. Is that the name of the Auth0 application I generated, since that is the service, that is supposed to authenticate users by username and password.
I have generated a SpringBoot app from the auth0 console. is that what they mean by connection.
Follow these steps.
Navigate to your dashboard - manage.auth0.com/dashboard
On the left menu, click on Setting
Scroll down to "API Authorization Settings"
Enter Username-Password-Authentication in the "Default Directory" input
Hit save - It typically takes about 30secs for changes to take effect
In Default Directory put Username-Password-Authentication
My auth0 was configured with a custom database, and when I was trying to get tokens using the Resource Owner Password API, I had the same issue Authorization server not configured with default connection .
The solution to this issue was:
Set the grant_type to http://auth0.com/oauth/grant-type/password-realm
Set the realm to the name of the custom database
For anyone else stumbling upon this question, you can also use the Realm property to define a specific Database connection instead of setting up a default one.
When i try to check if user is valid or not (using username and password) using the web service function
'core_auth_confirm_user' then it says 'User confirmation is not enabled on this site' with errorcode
'confirmationnotenabled'. If anyone knows to fix this, then please help.
Thanks!
Logged in your Moodle as an admin, go to admin/search.php and search for the setting registerauth. Get sure the setting has a value set other than Disable. For example, you can set it as Email-based self-registration, in this case the auth plugin that will handle the confirmation would be auth_email. It is also possible that this error may arise if you have somehow selected other auth plugin and that plugin does not implement the can_confirm() as returning true in its auth.php config file, but this is very unlikely IMO.
In MVC 4 project I've deleted user from the system while he happened to be logged in. Now he's getting exception from SimpleMembershipProvider methods (or from Membership/Role helpers) that user does not exists.
The issue is however, that while logged in, instead of any possibility to log off gracefully, he's getting error page, which would not let him use the page till the auth cookie would get outdated. How to intercept such a situation? It looks like I can't hook anywhere to just handle those exceptions. What is a nice way of dealing with it?
If you are using role-based authorization and have authorization setup correctly in your application, then the graceful way to handle this is to not delete the user but to take his roles away so he does not have access to areas you do not want him to.
Another way to do this is to add an enabled flag to the UserProfile by customizing it as described in this article. Then use the enabled flag in your authorization process by customizing the Authorize attribute to fail authorization if enabled is false. Instead of deleting the user you just flip the enabled flag to false.
I am using WSO2 Identity Server 4.1.0 to perform basic authentication. It is possible to call the AuthenticationAdmin webservice, which contains a 'loginWithRememberMeOption'. The user will then obtain a 'rememberMeCookie', with which he can log in, even if his session (JSESSION) has expired.
I have learned that the loginWithRememberMeOption also has a timeout: 7 days, and that this time cannot be modified: WSO2 Authentication, adding/modifing timeout to the RememberMe cookie
The AuthenticationAdmin service also provides a 'logout' operation. Unfortunately, this operation will only invalidate the session. So if a user has a rememeberMeCookie, he will still be able to login: WSO2 AuthenticationAdmin Logout
The question is, how do I logout a user that has obtained a rememeberMeCookie? Preferably using the AuthenticationAdmin?
As I understand there is no direct way to logout a user with a remember me cookie.
I went through the code. Once you login with remember me option, a UUID is generated. Refer org.wso2.carbon.core.services.authentication.AuthenticationAdmin.loginWithRememberMeOption(String, String, String) method in AuthenticationAdmin
The cookie is then saved in database. When you login with remember me cookie, the cookie is checked from the user store. Refer org.wso2.carbon.user.api.UserStoreManager.isValidRememberMeToken(String, String). You can check the JDBC implementation.
So, in order to logout, you might have to clear the cookie from the user store.
Please report a JIRA issue, if you think it might be useful to add a method to clear the cookie.
I'm trying to implement simple password-based authentication for a web application written using the Happstack framework. My user presents an ID and password, which I hash using bcrypt and check against by database. If the hashed password is in the database for that ID, the user is thereby authenticated.
Once I've authenticated the nice user, I would like then to issue a session cookie which marks that user has being logged in for the duration of the session. (I am not trying to implement a "persistent", "remember me" sort of cookie; I am just trying to find out if the user is logged in for the session.)
Is the presence of the session cookie alone sufficient to authenticate the user?
If not, what other information is needed? I could store the cookie's (hashed) value in my database, but at this point, I don't see how what I would be doing would be much different from a persistent login cookie.
In short, is it possible for me to use a session cookie to identify an authenticated user, and if so, how should it be done?
(I have been able to learn how and why to mark the session cookie as "secure" and "HTTP only", but I can't figure out what to do with the darn thing!)
You can use happstack-authenticate for an existing solution to password logins. If you still want to roll your own however you'll want the happstack-clientsession package for session cookies that the user can't read or write. A normal cookie marked "secure" only means it only works over HTTPS, but the user can still both read and write the cookie. With clientsession the cookie will be encrypted with a server-side key. You can use clientsession both for "remember me" and session logins; it simply depends on what you set the sessionCookieLife to. The default if you use mkSessionConf is Session which is what you want.