I found out an issue at my client's site regarding single sign off. for ease of use, i keep the client site name simple.
We developed site1.com using ektron 8.2sp2 framework and when you log into www.site1.com, you can go into "My Page" link, which takes you to www.site2.site1.com, which is a single sign-on.
This page has a log out button, when clicked, it logs off the user from www.site2.site1.com and you have a 'home' link, which takes you to www.site1.com, to log off from there too.
But, if the user just logs off from www.site2.site1.com and closes the browser, and reopens the browser to go to www.site1.com, it takes the user to the login page of www.site2.site1.com
I am trying to figure out the best way to log off the user from www.site1.com also, when the user logs off from www.site2.site1.com
I dont have access to the source files for www.site2.site1.com So, could some one help me how i can redirect the user to logoff from www.site1.com ?
This happens only in IE 8 and Firefox 3.6 but chrome behaves wonderfully.
Thanks in advance.
i guess, the answer to this is FormsAuthentication.SignOut(); will take care of it.
Related
i have one website and i have added it in bookmark.
the situation is:
i opened the browser and website loaded from bookmarked location now the tab1 contains the website next i am logging it now it is in home page.
then i opened new tab but i didnt loaded any site. then i closed the tab1 then i opening the site from bookmark location. here instead of loginpage its directly loading the page which was in tab2.
when i can close the logged in tab then it should ask for login page in next tab
please help me guys how to achieve this
thanks
You need to logged out the user when page is closing.
You can use onbeforeunload event to manually logged out the active user.
Have a look at this article about Save Changes on Close of Browser or When Exiting the Page
Login cookie is shared in same browser tabs (sometimes even in same type of browser).
In other words, if you login in a tab in IE, you do not have to login in different tabs. Login cookie is still valid, and you are automatically login.
However, if you open same page in FireFox or Chrome, you'll still have to login even if you have logged-in in IE.
Updated: Please do not ask user to re-login if a tab is closed and reopen in different tab (in same browser). Even banking websites won't do that. (Of course, user'll need to relogin if the browser is closed.)
I've got a strange one to solve today. A client needs their site to not allow people being logged in, going to a different site, then still being logged in if they hit the back button in their browser.
Simple I thought... until I couldn't find a page event that got fired when the back button was pressed from another site.
I thought of just using JavaScript and working with the referrer object, but this won't achieve my goal as I need to access the .NET Membership system and log the user out of their session.
Has anyone got around this problem? If so, how? Any help would be appreciated, potentially I'm just missing something that I could achieve in the Global.asax? If it helps, I'm using .NET 4.5 / C#.
Reasoning:
Due to, say, if one operator went and left their machine unlocked, visited Google, then another operator went on the same machine maliciously and hit the back button to gain access to that operator's logon (the client is very security cautious)
So you would like to log out user whenever they leave your site? You cah have global javascript that sends a request to a server every minute saying "Hey, server, I'm here! I'm user Joe Blogs, i'm still on the site". If the server does not get this message from a user longer than a minute, log them out.
Overriding back button is just not going to work. What would you do if user opens up another tab/window and goes to google there?
Update:
you can try using .unload() from jquery to catch page leave. And destroy the cookies on that event.
However, when the machine is just left unattended, nothing stop malicious user to go grab the access.
Update 2 you can just set very short session life! if user is inactive (or left the page) - log them out. To prevent possible annoyance for logging out when user looking on the screen for too long (fills in very long form) - make javascript to do regular (every 5 minutes) to a server to a dummy page - to keep the session live while the page is loaded.
Here is the source: Force users to logout when they leave my php website?
There is perhaps a "magical" solution for the problem but the key thing here is in the reasoning: Operator A is not allowed to use the site with the credentials of Operator B.
From a client and server perspective there is no way that the server or client (browser) can tell that persons changed seats at whatever moment in time.
That's the problem you have to solve.
But perhaps implementing face-detection is a little over the top?
If you were designing the site from the ground up you can do this by adding a header to specify that you do not want caching.
Cache-Control: no-cache
Pragma: no-cache
But you would then have to have all your site access through a single page. The page need not be displayed the same and can contain different controls etc, but it's content would be decided by POST parameters rather than through the normal ASP.NET model.
e.g. Default.aspx and to navigate you would POST back at least two parameters. One would be the page to navigate to, and another would be an unpredictable token.
e.g. Token=3Zd2f4O61Z&Page=OrderHistory
Upon each page load you would validate the token and page title combination, and if OK you would display the page and generate new post-back data links for any navigation or actions you would like the user to take at that point. If the user were to try accessing the same page with the old token, it would expire the session and then log out the user. This is the most secure way to do this as then clicking the back button would prompt the user to resubmit their post data again. If OK was clicked, the browser would submit it but the server would recognise that the token was now invalid (as it has already been used, and discarded by the server) and then log out the user.
This method also protects against CSRF as you are validating a token in the payload of each request rather than just checking cookie values.
I know this won't help you unless you can reengineer your site, but I thought I'd add this solution in case anyone lands here with the requirement from the beginning.
You can have a landing page of your site to contain nothing by a JS redirect to reals homepage this way when person hits back button he will go back first to the damy redirecting page that move him back to home page.
But it will be possible to override this if user chooses to skip number of pages at once or just opens another window.
Could you provide further information about why exactly is its needed ? I think in your case, there is a possible solution of may be having a separate Database table or field for marking or flagging such users who have been redirected to another site just treat them as signed off and then once they hit your sites URL you can probably check for the flag and sign them back in, automatically.
JQuery unload() function will solve your problems as wel as the javascript window.onbeforeunload...
Is this possible? i have an exit button on my web application, originally, my client request that once they click the exit button, it should CLOSE the tab or the browser itself but afaik that's impossible since the web aplication can be opened via link in an email (outlook,yahoomail etc) via tag, so I suggested this alternative to simply just redirect to the Home (of the user, not the web app). the problem how to Redirect to USER's home page. TIA
if (window.home){
window.home();
}else{
window.location='about:home';
}
Something like that would be my guess.
window.home() reference.
There is no way to detect user's existing settings for a home page. This is a security issue. You can always, however, close the browser window after the user is finished using your application.
JS: window.close();
Not sure that would be advisable (even if it were possible), as users can have multiple homepages. Usually, web applications have a log-out button which would log the user out and return to the application's main page (probably showing a log-in form).
i want to know when account logout without logout button click.
actually i want to manage dashboard. with some events like login, logout with it's activity date and time.
so if any user login so i will entry for login.
and if any user direct close browser so how can i manage logout entry in database.
You cannot reliably detect the user closing the browser or leaving the website.
The way this is typically done is by measuring inactivity period - if the user has had no activity for, say, 15 minutes, assume that he has left.
The browser will fire a clientside event when it is closing, you should then be able to send a request to your server using javascript.
But as driis said, it is not 100% reliable.
http://aspalliance.com/1294_codesnip_handle_browser_close_event_on_the_serverside
EDIT: Sorry, that article was not nearly as useful as i thought.
I have a web site that work with external Credit Card Processing (cybersource)
when user want to buy the webpage redirect to cybersource the user fill his details
and click buy, the page redirect to my web site and show this message
"the current web page is trying to open a site on your intranet do you want to allow this"
the user need to click yes or no how can i avoid this message to show up?
Thanks
My first thought - are you testing this with a server that is on your own intranet? If so then it's a spurious warning that doesn't require any action from you to change. I don't think that many end-users will be using your site from the same intranet as the production webserver. :-)