How to use DSSession to implements DataSnap authenticated sessions(HTTP/HTTPs)?????
My problems are:
I try to login into Login.html, then login complete Server Redirect into home.html
But in page Home.html not identified yet, So cant use Function.ServerMethod();
I wana to SetCredential(user:pass) in Home page used DSSession or anythings same.
In Home page , if not login, Redirect into Login again.
Before in Login.html confirm user and pass :
procedure TWebModule1.DSAuthenticationManager1UserAuthenticate(
Sender: TObject; const Protocol, Context, User, Password: string;
var valid: Boolean; UserRoles: TStrings);
var
session: TDSSession;
begin
//valid := True;
FormMain.Debug(['Before IsLogin : ',IsLogin],'?');
if not IsLogin then
IsLogin := (User = Password) and (user <> '');
valid := IsLogin;
FormMain.Debug(['IsLogin : ',IsLogin],'?');
FormMain.Debug(['UserAuthenticate :',User,Password],'?');
if valid = true then
FormMain.Debug(['UserAuthenticate : valid = true'],'?')
else
FormMain.Debug(['UserAuthenticate : valid = false'],'?');
if valid then
begin
Session := TDSSessionManager.GetThreadSession;
Session.PutData ('username', user);
UserRoles.Add ('standard');
if User = 'admin' then
UserRoles.Add ('admin');
end;
end;
Then redirect into Home.html. But in this page cant use Serverfunction(). ( errror 404, not Unauthorize)
Related
In ASP.NET Core 6 MVC multi-tenant application tenants have different path base like /tenant1 and /tenant2.
Middleware sets HttpContext PathBase from request url.
SignInAsync method always sets authentication cookie path to the root path /.
I'm trying to set authentication cookie path from PathBase using this code snippet:
Path = Request.PathBase.HasValue ? Request.PathBase.Value : "/"
The code shown below throws a compile-time error since AuthenticationProperties does not have a Path property. How to set cookie Path property so that different users can authenticated with different base paths?
public class AccountController : Controller
{
public async Task<IActionResult> LogOn(string user, string password)
{
if (password != "secret")
throw new ApplicationException("Bad password");
var claims = new List<Claim> { new Claim(ClaimTypes.Name, user) };
var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
var authProperties = new AuthenticationProperties
{
IsPersistent = true,
AllowRefresh = true,
// TODO: this throws compile error since Path property does not exist
Path = Request.PathBase.HasValue ? Request.PathBase.Value : "/"
};
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties);
}
}
You should be able to achieve this by writing your own ICookieManager and setting it when adding cookie authentication scheme.
ICookieManager methods get HttpContext as input so you have access to PathBase from there.
builder.Services.AddAuthentication()
.AddCookie("Cookie", options =>
{
options.CookieManager = CustomCookieManager();
});
Here's the default implementation of ICookieManager : ChunkingCookieManager
I have an authorization scheme for my application that checks first if the username entered is a username in the system and then whether the user has access to this particular application. The login issue I am having is that the user will login in once and get denied and have to login a second time and it works. I think the issue is that the :APP_USERNAME is not stored for the first login attempt and then is stored in the application for the second try. I know there has to be a way around this, but I have yet to figure it out.
u_id number := null;
app_id number := null;
auth_id number := null;
authorized number(1,0) := 0;
auth_status char := 'f';
failure_reason varchar2(200) := null;
begin
begin
select id into u_id from user where username=:APP_USERNAME;
exception
when NO_DATA_FOUND then
u_id := null;
failure_reason := 'User not found:' || :APP_USERNAME;
end;
select id into app_id from lkup_application where name='Application Name';
if (u_id is not null) then
begin
select id into auth_id from authorization where application_id = app_id and user_id = u_id;
exception
when NO_DATA_FOUND then
auth_id := null;
failure_reason := 'User not authorized from authorization table.';
end;
end if;
if (auth_id is not null) then
authorized := 1;
auth_status := 's';
end if;
insert into access_audit values(null, :APP_USER, app_id, current_timestamp, auth_status, failure_reason);
commit;
return (authorized = 1);
end;```
Well, it is :APP_USER, not :APP_USERNAME so I suggest you use it.
As a beginner of GO, I've got a situation as following:
t, err := template.ParseFiles("/template/login.tpl")
err = t.Execute(w, nil) //if executed before SetCookie
http.SetCookie(...) //failed, browser received nothing
If the sequence is changed, to SetCookie first, it'll work.
My plan was to ParseForm() username and password in login.tpl, if success, a sessionID would be sent by SetCookie. But now SetCookie() must be placed before login.tpl is Executed, which also makes ParseForm() run before login.tpl is executed :
r.ParseForm( ) //ParseForm() works even before template is executed
email := r.FormValue("email")
pass := r.FormValue("pass")
var loginPass = checkLogin(email, pass) //verify username and password
if loginPass == true { //if correct
cookie1 := http.Cookie{Name: "test", Value: "testvalue", Path: "/", MaxAge: 86400}
http.SetCookie(w, &cookie1) //setCookie works
fmt.Println("Login success: ", email)
} else { //if incorrect username or pass
fmt.Println("Please login: ", email)
}
t, err := template.ParseFiles("/template/login.tpl")
err = t.Execute(w, nil) //now template execution is here, also works
But why it should be written like this? Please anyone give me some advice! Thanks a lot.
This is a common error tied to the HTTP protocol working: the cookie is sent in a header of the HTTP respo7nse, which cannot be changed after the body start being sent.
So, when you do the t.Execute(w, nil) call, you start writing the body of the response and thus cannot add cookies afterwards.
This is the exact same reason why in PHP the session_start() call must be the very first instruction of the page, even before any whitespace.
I have two sites https://www.somesite.com (user site) and https://admin.anothersite.com (admin site) and I am using Identity Server 3 for access control, this is hosted on https://identity.somesite.com.
The sites are configured in identity server as the same client (different redirect urls) with cookie based authentication. I’d like to provide a mechanism where users of the admin site can impersonate users of the user site.
I’ve seen that I can issue cookies using the IssueLoginCookie, but that call needs to be on the identity server, so given that it’s on another domain, I can’t see how that would work.
How can I go about supporting user impersonation in identity server?
Update
I now have the admin site generate a url like so:
var url = 'http://localhost:61826/connect/authorize'
+ '?state=' + encodeURIComponent(((Date.now() + Math.random()) * Math.random()).toString().replace(".", ""))
+ '&nonce=' + encodeURIComponent(((Date.now() + Math.random()) * Math.random()).toString().replace(".", ""))
+ '&client_id=mvc'
+ '&redirect_uri=' + encodeURIComponent('http://localhost:64822/')
+ '&scope=' + encodeURIComponent('openid profile roles api1')
+ '&acr_values=' + encodeURIComponent('loginas:3230')
+ '&response_type=' + encodeURIComponent('id_token token')
+ '&prompt=login';
window.location.href = url;
This allows me to pickup the login event in the PreAuthenticateAsync method on my custom IUserService and intercept the login. My current implementation is:
public override async Task PreAuthenticateAsync(PreAuthenticationContext context)
{
if (context.SignInMessage.AcrValues.Any(acr => acr.StartsWith("loginas:")))
{
// Would need to also ensure that the user has the relevant persmissions to impersonate another user
var subjectId = _owinContext.Authentication.User.GetSubjectId();
var login = new AuthenticatedLogin
{
Name = "Impersonating For Fun",
Subject = "3230",
Claims = new List<Claim>
{
new Claim(Constants.ClaimTypes.Subject, "3230")
},
PersistentLogin = true,
IdentityProvider = Constants.BuiltInIdentityProvider,
AuthenticationMethod = "Cookies"
};
_owinContext.Environment.IssueLoginCookie(login);
var impersonationClaims = new List<Claim>
{
new Claim("AdminUserId", subjectId)
};
context.AuthenticateResult = new AuthenticateResult("3230", "Impersonating For Fun", impersonationClaims);
}
await Task.FromResult(0);
}
The user is not shown the login page and is correctly redirected to the target url. However, the user has not changed to the new user, but rather remains as the original user. What am I missing?
Are you setting the domain wide cookie? Can you confirm it in browser?
i am new in the opencart. now i have make some category restriction means user must have to login to see that category. so when user click on that category if he is not logged in then he will redirect to the login page. The above process is working fine
now once i login i want to redirect to the same category page.
when i come to the login page i can see the value of "$_SERVER['HTTP_REFERER']" is as i want
site.com/index.php?route=product/category&path=62
now as i read the tutorial online then told me to change some code in this file "project\catalog\controller\account\login.php"
i have replace the below code
$this->redirect($this->url->link('account/account', '', 'SSL'));
To
if (isset($_SERVER['HTTP_REFERER'])) {
$this->redirect($_SERVER['HTTP_REFERER']);
} else {
$this->redirect(HTTPS_SERVER . 'index.php?route=account/account');
}
when i come to the login page i have right link in the HTTP_REFERER but when i click on the login then it become the login link in referer. so how can i set that ?
can you suggest me how can i do this ?
i am confused about it.
The problem is that after the login request (which shall be POST) the form is submitted to the same URL thus the previous referrer is replaced by the login page. It goes like this:
referrer when redirected to login: site.com/index.php?route=product/category&path=62
referrer after login request: site.com/index.php?route=account/login
Therefore store Your current URL into the session within the category controller before You are redirecting to login:
$this->session->data['redirect_after_login'] = "<CURRENT URL GOES HERE>";
$this->redirect($this->url->link('account/login'));
Now in login controller after successful login action check whether the session variable exists and if yes redirect to it:
if(!empty($this->session->data['redirect_after_login'])) {
$url = $this->session->data['redirect_after_login'];
unset($this->session->data['redirect_after_login']);
$this->redirect($this->session->data['redirect_after_login']);
}
Before redirecting user to a login page you can set a $this->session->data['redirect'] variable to an URL where user will be redirected upon successful login.
The following code, for example, will redirect visitor to the list of addresses after successful login:
$this->session->data['redirect'] = $this->url->link('account/address', '', 'SSL');
$this->redirect($this->url->link('account/login', '', 'SSL'));
Or you can modify the catalog/controller/account/login.php like this.
A. Change
if ($this->customer->isLogged()) {
$this->redirect($this->url->link('account/account', '', 'SSL'));
}
to
if ($this->customer->isLogged()) {
$this->redirect($this->url->link('account/account', '', 'SSL'));
}elseif(!isset($this->session->data['redirect']) && isset($_SERVER['HTTP_REFERER'])){
$this->session->data['redirect'] = $_SERVER['HTTP_REFERER'];
}
B. And change
$this->redirect($this->url->link('account/account', '', 'SSL'));
to
if(!empty($this->session->data['redirect'])){
$redirect = $this->session->data['redirect'];
unset($this->session->data['redirect']);
$this->redirect($redirect);
}else{
$this->redirect($this->url->link('account/account', '', 'SSL'));
}
I have created an extension for this on the Opencart.
https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=13998
It has 3 features:
Page after login.
Page after logout.
Plus Strict Login.