I am confident my application is coded correctly (at least mostly), as it works about 98% of the time. However, about 2% of the time, I get what appears to be a valid auth token, but when I go to post a photo, I'm getting the following error "(OAuthException - #200) (#200) User must have accepted TOS". I have retry logic, but it gets the same error three times (so it's not a freak communication glitch).
I use the URL facebook.com/dialog/oauth to get the token, and then I use the C# Facebook client (Post method).
The other questions I've seen posted with this error appear to involve consistent failures, indicating an application error.
Is it possible that a person is shown the permissions page (on Facebook) and rejects it, so the user is then redirected back to your website, but with the Oauth error - which you need to handle.
Basically, I want to log in via Facebook, but I don't accept their conditions (eg. you might be asking for too many things). Thus I'll reject the login, and the source website (you) needs to handle the refusal.
After finally reaching someone at Facebook to talk with, it appears this may be an issue on their side- given the massive parallel processing needed to handle their user base, it is possible the auth token provided was not replicated to all other servers by the time my app (from a different location) tried to use the token.
The suggestion provided by Facebook was to allow more time in the retry process- while it is usually handled within a minute, sometimes it can take up to 30 minutes to replicate to all servers.
Related
Excuse me for my poor english.
It's possible get all thread requests from an ASP.NET application?
I don't need execute the complete logout of current user if in same time another clients are authenticated with this same username. Perhaps I could query another request threads for know if I need do that.
I will try simplify the question... Can I know all actives requests from ASP.NET application in a IIS server on C# code?
Now I try get the threads of WebDev.WebServer40.EXE process, but don't seems the requests threads.
I think you are approaching this wrong. You cannot log out a user in the middle of a session since http is stateless and the users credentials are always sent as part of the request, be it a cookie, a Bearer token or some value in the Authorization header.
Performing a logout as part of a single request is therefore not really feasible.
To me it sounds like you want to unauthorize the user without necessarily unauthenticating the user. That is, the user id is still connected to the request, but you no longer want to grant the user access to whatever resource, that was available to the user a moment ago.
This decision is made at a unique point in time, so all requests concurrently with the time you made the decision that the user is now unauthorized will behave differently depending on whether the authorization was checked before or after the unauthorization. New requests are sure to be denied though.
A http request should not take longer than milli seconds or sometimes seconds. Are any ressource you are protecting so important that it cannot live with this inconsistency window, you probably shouldn't expose it via http.
But if you want to make this rather (and perhaps unnecessarily) complex mechanism to unauthorize already authorized request, you should make it as a http handler executing as the last part of the aspx pipeline. It should look at the user id and some kind of shared blacklist maintained by the authorization system.
I think you should live with the inconsistency though. But be sure to separate authentication (who) from authorization (what the user can do).
I did look different possibilities. The best option perhaps is use the System.Web.Administration dll and WorkerProcess.GetRequests method. The main problem is that dll only works with IIS7 version o superiors. Exists some way for get something similar in IIS6? For me the most important is get the current request theads managed by server and know the credentials of each thread and internal info.
I have a website, which was infected 4 years ago (!) by virus, which created many threads and fake users in ASP.NET Community like : /forum/members/Better-Flower-Delivery-Your-Flower-Delivery-c-uj.aspx .
This site is redesigned 2 years ago, ASP.NET Community is removed at all, but right now there are many requests are being went to my web-site (300 such fake requests per 2 hours)!
Of course requestor (robot) gets HTTP 404, but sends and sends such requests. Any ability to block these requests at all? Why do I want to do it?
I use Azure. So, I pay about each incoming data / CPU time to processing request.
these requests add litter to statistic, so, I should check what is it.
You can try to do something like this:
OnBeginRequest event, send to user a fake page with only one html form that contains some special generated number or string for this user inside hidden field and after page is loaded automatically send this form back to your server by js.
On your server, check this generated number, and if it's valid for this user, generate cookie that informs your system, that this is true user and has a browser.
So if user has your generated cookie with your generated pass, you are allow your server to process this request, if not, reject it.
This method allows you to control which request should be processed by your system, 'cause usually robots don't process responses.
Best regards, Dima.
I have webservice which uses ASMX webmethod etc (I know, outdated), it is used to supply mobile devices with data for their apps.
Right now, users can login on any device at any time, as many times as they want. To make this product compatible with a new licensing model, we want to restrict users in logging in to multiple devices.
A user should only be able to be logged in at one device at a time.
I thought of the following solution: save the mobile device identifier last used in a request, and the time of the request in the database. If a user tries to login (within ~10 minutes) from another mobile device identifier -> login fails.
My problem: in which method do I put this code. I want to prevent duplicate code as much as possible.
I have 4 .asmx files with API's, I could put the code in the constructors of all the classes, but I'd rather not. Is there not some "Request_Start" that already has access to GET/POST parameters?
Please refer to:
When the same user ID is trying to log in on multiple devices, how do I kill the session on the other device?
I understand you're asking about ASMX, but I believe this will be a good starting point for you.
I had this same exact requirement, and came up with a pretty slick solution, demonstrated in the link above. In a nutshell, my requirement was to only have one user log-in happening at one time. If that same user ID tried to log in elsewhere, then it killed the session for the first log-in by checking for an existing log-in under a different Session ID (this enabled the user ID to be logged in from multiple instances of their web browser on their computer [same Session ID], which is common, but not from a different computer [different Session ID] (possibly due to someone that stole their credentials, for example)). Through modification of the code you could probably change the behavior of this - i.e., prevent the second log-in attempt instead of killing the first log-in that's already active and in use.
Of course, it may not fit 100% to what you're needing, so feel free to modify it to fit your needs.
I am running a workflow service which automatically posts messages from some blogs on a facebook page. But now facebook deprecate the offline_access permission and I need to find a solution if my application does not run for example 60 days and the access token expired.
I need to find a way to get a new access token with given username and password without user intervention...
Maybe someone of you have a good idea
If your service make timed requests to the Facebook API, you won't need to worry about the token expiration. So, if you request some status or a specific FQL on a timed interval, your token will be extended and will let you post anytime you want.
This solution is a workaround. Even you try to do that, you won't cover all the scenarios. The better way is to mantain the user connected to your app, verifying some constant content day-by-day. With this behavior, you will have an access token for every entrance of the user.
Hope it works.
I have an un-ideal application and without going into the ins and outs this is what is needed.
A 3rd party app needs to make a request to a page which will return data. Because I have Forms Authentication enabled this request always ends up being sent to the login page. I have therefore set it so that all users can see this page even though they are not logged in. What I want to do in the Page Load or similar is to check querystring parameters which the 3rd party app can send and validate it against FormsAuthentication.
When this 3rd party app makes its request a user has already logged on so I was wondering is it possible that I can check something against the currently logged in user to see if it matches the 3rd party request?
What I need to also do is send that information from the logged in user to the 3rd party app so that when it makes its request it matches up with the logged in user.
I may get down votes for this, but I'm going to answer anyway because if one of my co-workers asked me this question, I would read them the riot act. (I won't read you the riot act because I'm not responsible for your systems or the security of your data.)
I see from your first sentence that you realize this may not be the best idea because it is an "un-ideal" application.
I know that what I'm about to suggest will result in duplicate code and add to maintenance down the road, but when you balance that against short-circuiting the authentication mechanism or tampering with a well-known and trustworthy mechanism to weaken it so as to allow another application to use a "back door" (which is what you're really talking about doing here - creating a back door for this other application but attempting to use querystring parameters as part of the login mechanism) it is really the lesser of two evils to have more code and more to maintain.
So... Have you considered, and is it a possibility for you to set up another method for this other app to get the data? You say that it is just getting data, so why not have a separate web services project or some other project appropriate. Even another web site application would be a better solution to what you're proposing.
Even if this data is not what you would call "Sensitive" I still think trying to build in a back door is a bad idea. It may not be a critical issue on the current application, but not coding for security is a habit, and once you do it in one area, you're more likely to take unnecessary risks elsewhere.