Is it possible to clear browsing data, cookies, active logins, etc. behind the scenes(programatically) on chrome custom tabs?
My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)
Shared cookie jar and permissions model so users don't have to log in to sites they are already connected to, or re-grant permissions they have already granted.
Chrome Custom Tabs is the Chrome browser (via the Chrome service and custom Intents) and thus the cache, cookies, etc.. are shared (actually the same).
The answer is no, you can not programmatically clear the data of Chrome.
Note: Right now there is no support of creating an Incognito-based Custom Tab
I would issue the user a transient/session cookie so it does not get persisted if you wish to forced a re-login on the start of every new session.
"My goal is to have the user be prompted to login every time they open the custom tab (instead of being logged in automatically)"
As of now July 2020, on appauth's request builder you can use the method setPrompt(AuthorizationRequest.Prompt.LOGIN)
This will prompt the user to login every time.
If this method isn't provided and let's say there is some persistence needed (to log the user in automatically after they have logged in). If the server issues cookies to do this Currently it is a challenge to log the user out using an endpoint
Related
We have a SPA application that makes use of cookie-based authentication. The cookie is validated on the app server by checking the expiration time of the user's stored session in a database.
The client requirement is that each new tab/browser opened should force the user to log in on that new tab/browser instance, thus allowing the user to have multiple sessions open for concurrent work purposes. Closing a tab or signing out needs to expire the user's session for that specific tab and still keep the other sessions active. Refreshing a tab should obviously still keep the user logged in on that specific tab.
At the moment, we make use of a unique identifier to identify the specific tab with its accompanying cookie, in order to only clear the relevant cookie when the user logs out or closes the tab. This unique identifier is stored in Session Storage and gets passed as a header with each server request. This unique identifier is visible in the the browser URL, for the reason that when the tab is refreshed, that identifier is used to get the relevant cookie and authenticate it.
This whole process feels clunky and prone to bad security practice.
What type of authentication would be best to facilitate the client requirements?
It feels like a very old-fashion and outdate requirement, to have separate sessions per tab. One approach is to let the backend redirect each new request to it, to its own unique per-tab sub-domain, so that each sub-domain can get its own independent set of cookies.
like
session1.mysite.com
session2.mysite.com
session3.mysite.com
session4.mysite.com
session5.mysite.com
I've created a asp.net mvc4 web site. I've implemented Form authentication also.
In this web site i want to block access to my web site client in a same time (if a client of my website is already open his or her account in a computer then that client can not get any permission to open that same website on the same time in other computer or any other browser of the same system).
I want to provide one paid service to user, and I don't want him to just share his username and password with many people to use my service simultaneously without paying for it. please help me soon
How can I implement this. do i need to maintain some login information in database or is there any built in tool available for this.
To my knowledge there is nothing built in, but you may be able to implement your own version of the ASP.NET authorization providers.
Upon successful login you would need to store the value of the FormsAuthenticationTicket in your database and associate it to your user record.
On every page load you would need to check the value of the ticket against the database record for that user. In case of mismatch the user would be logged out.
Using this approach if User A and User B were using the same credentials, User A was logged in and if User B then logged in, it would invalidate User A's session and they would not be able to view content at the same time. You could also log the activity when a session is overridden, along with IP address and User Agent to help you identify users that are sharing account details.
This feature is not built in.
I would add an "IsLoggedIn" bit column to my "User" table. Then you could check this column to see if the user should be allowed in.
The problem is going to be knowing when that flag should be set to false. It's easy enough to set the flag to false if the user clicks "logout" or in the "on session end" event, but I think you'll run in to cases where that's not good enough. For example, if a user logs in from a laptop and the laptop's battery fails, you aren't going to get any notification from the client that the user has left...
I think David has already given most of the idea (+1) , However for problems like closing browser without logging out, You can handle it in window.unload() event for setting the flag in your table .
I have a C# web application (IIS 7.0) and I have Smart Card Authentication set up on the site. The user is required to have a Client Certificate associated to their account which allows them to login. Now I want to go a step further and either after 15 minutes of inactivity on the site, or if the user logs out, I want to website to redirect to a logged out state and a page specifically designed as a log out page. This all works fine, now is the tricky part.
Now, if the user is at the logged out page and wants to log in again, they must select a link to log in again, and I want IIS to ask the user to select their cert again and input their pin (smart card), how do I force IIS to do this? I would imagine that on the logged out page I need to somehow dump the user cert so that when the user logs in (default.aspx) the system will ask for their cert, but I do not know how to do this, is this possible?
While a web page -which needs login- is opened in my browser,
if I close browser and re-open, I have to write username password again.
But, sometimes when I close browser and re-open for the same page, it isn't needed username and password again?
Is it about Session, Cookie? If yes, why are there different conditions?
What do you think?
Gokturk
Its depend on which they session state management technique are used. basically there are 3 state management can used in asp.net
Asp.Net state management
i think webpage using Cookies with some Expiry period. if its session then when u close the
browser then session will be cleared. (InProc Mode).
Cookie will expire for mentioned period, if u able to relogin after browser closed then the cookie is checked for your credentials.
for the different condition following the reasons will make point of it
if u cleared your browser data (sessions, cookies, etc)
u may clicked rememberd password, which would stored in Browser cache.
So it definitely seems the web site only allows session-based, non-persistant cookies. My guess (as I've seen this on my system as well), the browser is closed, but the process hasn't died off. When you open a "new" browser, it's picking up the existing process with all of the session information still valid. To confirm this, each you close the browser, check Task Manager to ensure iexplore.exe, chrome.exe or firefox.exe are completely missing before starting a new session.
I have an issue with sessions. My web site is implementing a logged users console, which register a new user each time it logs in. If I try to open 2 pages within the same web explorer, it fails because the method first ask if the user is already connected for not registering it twice.
This method take as parameter the sessionID, which is provided by .net
My question is: In the same browser (or in the same computer, localhost), the sessionID it's always the same or when is it generated?
By default, new tabs or new windows in a browser will share the same process and therefore the same temporary session cookies for a domain.
To open a new session in IE, choose File > New Session.
SessionID will be the same for the same browser.
On a different browser (or a different computer) you'll get a different SessionID.
Thats kinda how it is all over the internet, not just with asp.net, because of the way Cookies work.
For example you'll notice that you can't log into amazon or ebay using different accounts within the same browser.
SessionId is same per browser. You can check it by logging in to yahoo, the first page will ask for the user name and password, if you open the second page it will directly take you to your email account.
Depends of the browser being used and how it's being used, as stated already the session is shared across the same browser on modern browsers by default. Older browsers such as IE before 8 used to share the session across windows by default as well unless the user opened a new instance of IE outside of the browsers interface (i.e. Start Menu/Shortcut).