When I access my sitecore website, it seems to be authenticating some user -- i can tell because I check the cookies on my browser and see that a session id has been issued. I'm confused as to what user is being auto-authenticated and how i can disable that. I would expect to be required to authenticate via the login page that I've specified in the sites section of the sitecore web.config, but I'm not getting re-directed to the login page. Is there some anonymous access granted to a default user that I need to disable?
By default the extranet\anonymous user is used. If you do not want anonymous access you should break the inheritance for that user, probably on your home item.
Do make sure that your login page is accessible for that user though, otherwise nobody can login..
Related
Is there a way to redirect to other page and automatically log into that page?
So it's like I make django webpage with login and create link to facebook. When user clicks to facebook link, it should automatically login to his facebook page. Of course, I will have his facebook username and password on db I used to create the website.
Is this possible? Basically, I am trying to create interface page on django with link to several different webpage and make user access to his page by simply logon to this interface page alone.
I suggest that you have a look at the Django-allauth, which is an Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication
It does most of the things you want, you can go through the documentation
https://django-allauth.readthedocs.io/en/latest/index.html
I am new to django i made a registration page and login page now i want a user registered to login to my website when a user is logged in i want to associate a session for user which only dies when he logs out or he closes the browser
now whenever the user loads the page even after a week if the browser is not closed he should be granted access.Now the django is storing sessions in its database but will i be able to authenticate the user as different users have different permissions.can someone suggest any resource for my requirement.
I found what i needed http://gavinballard.com/associating-django-users-sessions/ its by creating a custom model extending the default one.
I have a workspace in which I have many applications based on the same schema.
Every applications has his own login page at the moment.
I want to build another application responsible for the login of all the other applications.
The login will redirect the user to a main page that will show the links to the different modules (applications) based on the user type.
Note that only the ADMIN user can see the links to all the applications.
Different types of user will see only the links to the apps that they are authorized to access.
I read other related posts, I know I have to change the cookie name for all the app I want to share the authentication.
But my question is:
If I login successfully with a user different from the ADMIN, I am still able to access all the applications via URL, even if their link is not visible in my main page.
How can I prevent this?
Check out the use of authorisation schemes (see under Shared Components).
If you had an authorisation scheme per application you check on each page so that if the current user was authorised that application. Don't forget that each authorisation scheme would also allow users who have ADMIN access.
Hope this helps.
Just had another thought. Check out this post http://www.explorer-development.uk.com/securing-vulnerability-exploits-apex-part-2/ by Craig Sykes.
Activating Session State Protection and using Checksums would prevent a number of issues for you.
I am implementing "login with facebook" feature using php sdk, i am able to grab user profile details. But after that user remains logged in. Suppose user is accessing my site and after using "login with facebook" features he leaves immediately, then next person sitting there can use(misuse) previous persons account.
1)How can i automatically logout user after fetching what i needed (I dont want to show user "facebook logout" button).
2) Is there any way i can only logout user from my app and not facebook logout ? (i mean if user is already using facebook in another tab then it should only logout users facebook session from my app.)
Assuming all the usual security measures are in place (session timeouts apply to FB logins, doesn't leak FB data across distinct PHP sessions, logging out of your site clears FB session data or moves to a login/front page with no FB access), websites with Facebook integration generally don't bother securing their FB integration on a per-request basis. It's the user's own fault if they leave a browser window open and logged into your website, there's not a lot you can or really should do about that kind of mistake.
All that being said, you can call getLogoutUrl and then redirect the user to that URL to log them user out of the current session, OR you can use the JavaScript SDK's FB.logout(). Both options are mentioned here.
Is there any way to authorize user (acting as a Page or Page administrator) in the same like FB Conect does but using Page data?
E.g. I would like a company, say local barber, authorize in my system as a certain Page (can be indirect, i.e. through a private account but I would like to know if this user is a page administrator). The purpose of this is to link an account on my website with a certain business that has representation on Facebook.
Well, you could ask the user for manage_pages permission and look if the page you’re interested in is amongst them, but since that’ll give your app also their page access tokens, I doubt they’ll grant you that.
Less intrusive and much simpler would be to have them install your app on their page as a page tab, and then look into the signed_request parameter once their using your app - it has a boolean flag for wether the user is admin or not. After that they can remove your app again.