I've been working on a project to create an FDA part11-compliant e-signed document repository. The mandate is that it use Perforce to track the various revisions of the documents, utilize LDAP (AD) as the authentication/access directory, and re-authenticate the user at the point they submit a changelist.
The first two requirements are in place, but I am having trouble with the last one. I have a script at the "change-submit" trigger which logs out the user - assuming that this would force the client to re-authenticate the user before continuing with the process - but this does not work, at least for the command line client; the user is logged out but the process completes, and the next command attempt from the user is the one that gets denied.
Setting the script to handle the authentication process is not an option as it is run server-side and there is no way to pass a prompt through to the user.
I could of course pass authentication as command-line arguments to the script and then return non-0 to force the process to abort if the credentials are false, but I have not found a way to modify the commands sent for a given action by the p4v GUI, nor again to have the client prompt the user for authentication; and, this would result in the password being displayed as clear text consistently.
Setting the ticket timeout to an extremely short duration would definitely require the user to authenticate prior to submission, but also before any other action.
Has anyone out there dealt with something like this before, or does anyone see an angle of attack that I am missing? Thanks!
Thanks avp for your attempt to help, but my issue was not that the logout wasn't performed, but that the submit that triggered the logout script was concluded anyway.
I basically ended up setting up different groups, one which had all rights except write, and then a group for each authorized user which had write rights, but expired in 90 seconds. I then put all users in the non-write group, and then had a trigger set on login which parsed the password given to determine if it contained a request to join the group with write rights (which was set into a p4v script) and, if the remainder of the passed-in password was correct, assigned them to that group.
I've had it in production for a few months now with no issues.
Well, I have no idea why it did not work for your client, but you can try this:
remove the p4tickets.txt file or remove the necessary line in this file after you logged out.
(After I log out I can see that one line (the line for the client I logged out) is removed from the p4tickets.txt.
Each time I have any problems with logging in/out I remove this file and it helps.
Related
I need to implement a lock and unlock mechanism in opendj 2.6 based on a fixed failed login attempt. I've already seen that there are two methods (https://backstage.forgerock.com/docs/opendj/2.6/admin-guide/#chap-account-lockout). a manual method (which I don't care about at all because I've already done some testing and found that it only allows manual locking and unlocking) and the second one which was perfect for me because, by modifying the password policy, it allows me to set a fixed number of failed attempts and set a lockout time out.
my goal: I need to find a way to unlock this type of locked users without spending the entire lockout time.
my problem: i have already read the documentation and apparently resetting the user's password is the only way.
ps: I also noticed that, when a user is locked, some attributes are added to his entry, such as: pwdAccountLockedTime and I thought I could delete this attribute manually, but that field was a non-editable field (and also I had no certainty that it would work).
Do you have any suggestions? Or is it simply not allowed?
As you have already identified, the proper way to unlock an account after N consecutive failures is to reset the password. If a user is entering a wrong password 5 times, do you think he will know the correct one the 6th time ?
Otherwise, OpenDJ has a tool called manage-account, where specific operations are possible. This should only be used by an admin with care.
I believe not all operations are documented, but you may read the code to understand them all.
I'm new to Symfony and PHP (previously worked with C++, Java) and I can't find any solution on how to log user login and logout actions to a database. I want those specific informations:
user who took the action (via userId),
action description (login or logout),
current timestamp.
I'm looking for the simplest possible solution. I managed to successfully log information on user login by modifying function rendering user login form, but I failed miserably when it comes to logout. I know it is a terrible idea after all, but I couldn't come up with any better one. Any suggestions? Thanks in advance.
If you have a look here, it says you can define a success handler and a failure handler which you use to log stuff to your database. You can also find the handler parameters defined in the reference documentation.
Login
You would first create a service which get's the security.context and entityManager as parameters and uses both to determine which user logged in. This service is then added to the success_handler parameter and therefor called after the user logs in.
Logout
This one is more tricky I guess, as I would assume that the security.context has no information about the user anymore and you cannot use it to determine which user is logging out. You may want to look into what the handlers parameter actually is. It might be a handler which is called while processing the logout, so you could use it. Of course you might log some logouts which fail because without the success handler you cannot be sure the logout was successfull. On the other hand, maybe you can get the session id from somewhere (again, security.context maybe) and log this instead.
.. Or is it enough to just check for a session variable that indicates a successful login has in fact been performed?
What are different ways to go about this? The ideal and not so ideal?
Thanks!
Third alternative: HMAC-ed cookie. No need to hit database/session-store at all.
Details.
Even if a user has an active session that is restores via cookie for example, you need to verify his account data.
If you don't check the current database entries for a user, he could possibly login although his profile has been banned or something like that.
The reverse situation can happen if your user opens a session in one browser (at home for example), upgrades his account to some "premium" (or whatever) account with another session (maybe from his office). When he returns home, he would get his old session that has no "premium" privileges.
So, always check the data for your user profiles. I would recommend to check them on EVERY request to your website. Your session data should only say WHO the user is and not WHAT he is allowed to do.
how do I prevent my users for more than one simultaneous login per account. I am using Vb.Net SQL.
Just coming from a 'web programmers' point of view, there is one really simple way:
You have to use some sort of central session system, where a Cookie on the user's browser has a hash, or some unique key that is also stored in the database. One each page request, or at set intervals, you check if that hash exists in the database.
Then, whenever you have a user log in, you delete any hashes that are tied to that user in the database, and then you create a new one for the user logging in.
What happens is if a user logs in, and you delete existing hashes from the database, then the other user will be logged out when you go to check for their hash in the database.
Not VB-specific, but: when the user logs in, keep track of the fact they are logged in. You can keep this in a cookie (watching out for the fact that a cookie can be tampered with.) You can keep track of it in a session variable. Or you could keep a boolean field in the database, "is_logged_in".
Then, when the user attempts to log in, you can check to see if they've already done so. If they're already logged in, the script might just return them to the home page (provided they used valid credentials. Otherwise a rogue user could type a username but leave the password blank, and depending on the behavior of your program, could see if a user was logged on at that specific time.)
Also, it is common that when someone is logged in, the webpage itself replaces the "Login" link with some text that says "Welcome, rascher!" and maybe links to their profile or preferences page.
Edit: Also remember to set is_logged_in (no matter how you track it) to "false" if they log out. It might also help to time this out - say, when the user closes the browser, or after "n hours" of inactivity (though that can be really annoying.) It will depend on how long people are generally logged into the system. Also note that someone might log in on their home computer, stay logged in, and then try to log in to the same place from work or their iphone. You might could look at ways of dealing with this (if the IP address is different than the current login, then log the other person out? Or something.)
In our system one client may have multiple operators. However there is a "wish" from client.
One company has an account, however there can be mulitple operators assigned to this company. Client wants us to prepare a solution that only one operator from company can log in to the system at same time. How can I achieve this?
Just by making sure they system has the ability to validate the login on each request. Either
Actively (by querying state -- possibly a database to compare some secrets) or
Passively -- using some form of cryptography and tokens (possibly in the cookie).
Option one is easiest, option 2 is fastest. If you validate on each request you can make sure that only one user remains logged in -- if another user signs in you can invalidate the existing active login -- perhaps with a cooldown period of n amount minutes.
You have to develop some form of login scheme -- kerberos is the defacto scheme -- read this easy to follow tutorial on kerberos Designing an Authentication System: a Dialogue in Four Scenes It should show you what you really need to do.
You could use a database field to flag that they are logged in. Update the field to 'logged in' when they do so, and then update it to 'logged out' when they log out.
You'd also need to monitor login sessions for expiry to update the field if a user never bothered to explicitly logout.
The best approach I've used:
Create a table used to track whether an operator is logged in (e.g. userid and last_accessed_dt)
On each page request by the operator update the last requested date/time
When an operator attempts to login they can only do so if the last requested data/time > timeout period of sessions on your website (E.g. 30 minutes) or if they are the Last Operator User ID ... this way they can quickly recover from a logoff etc.
When an operator logs off have the Last Accessed cleared
When the session times out have the Last Accessed cleared
"I am using WPF application and the server is written in WCF, however this can be achieved. But what in situation when user has an application opened and was inactive for 30min?"
This system is going to be single-user, so I suggest you start a counter thread when a user logs in. When counter reaches 30 minutes, write a value to the db indicating that user has timed out and other users are free to login. Obviously, you should do the same thing when user explicitly logs out.