IIS current connection doesn't show the accurate amount of open sessions - iis

I'm creating a dashboard for my iis server, one of the things I want to see is how many users have an open session of a website on their pc.
I tried to use current users that iis gives us, however evertime i open a new session on different pc, the current users function shows the right amount of sessions only for a certain amount of time, and afterwards it goes back to zero even though the session is still open.
I was expecting to see all these active sessions as long as they are open.

Related

Clear temporary storage data for a Chrome extension when browser closes

I am building an extension which every time the browser opens asks user for a strong password. Its purpose is that it uses that password to derive and generate strong passwords for new websites upon registration and it tries to regenerate same passwords next time a user visits an already visited website.
I am using below method to store user's masterpassword(used for password generation) which is sensitive information:
window.sessionStorage.setItem(varName)
And I use below method to get it whenever it is needed.
sessionStorage.getItem(varName)
My problem is that I want this data which is stored in browsers data to be valid as long as Chrome open. This master password needs to be cleared every time user closes the browser and to be asked every time it gets reopened.
I read that session storage is temporary and it gets cleared but it does not work for my extension. I also know that there is nothing to add in order to detect browser getting closed as it stops running your script.
Can you please help me with it? Is there such method that keeps data for a short time?
Since Manifest V3 removed the notion of persistent background pages. You can imitate this with chrome.storage.local. The only caveat regarding this is that it stores the variable in the extensions local storage which is still okay for that user.
One way to imitate a browser closing is by creating a chrome.runtime.port that is opened and then when the browser closes or the extension gets reloaded it will call onDisconnect for that port, and you can clear your chrome.storage.local.clear():
chrome.runtime.onConnect.addListener(port => port.onDisconnect.addListener(() => chrome.storage.local.clear()))
When the browser is launched, just connect:
chrome.runtime.connect(null, {})
That might unload itself when background script goes back to sleep, unfortunately, the only way to get passed that is to keep your own managed extension window that pops up. But that might be overkill for user experience.

Netsuite - security message

When I enter user id and password in netsuite every time it asks me my security questions , how can I stop this happening every time. Other people in my team are not having similar issue so I wonder what needs to be changed in my settings
*Note: I am not having administrator role
NetSuite saves a cookie in your browser in order to recognize your machine and browser the next time you log on. If it does not find this cookie it will ask a security question. There are several conditions under which this can occur:
You log on using a different machine.
You use the same machine, but a different browser.
You use 'private browsing' or 'incognito' mode.
You use a browser extension or other program which automatically deletes your browser cache, or cookies, when you exit.
You have your browser itself set to empty cache on exit. E.G.: Chrome has a setting to "Keep local data only until you quit your browser"
Anything else that might interfere with cookies.
You'll need to check which of these apply to you and act accordingly. If you're still unsure what could be causing it, you could reset your browser to defaults, or install a completely new browser and test whether it still happens with that. You may need to disable or uninstall any browser extensions too.

MEAN stack, PassportJS: detecting when client closes browser tab

I have a webserver (Nodejs+express+ passport) that uses passport for local authentication. Does anyone know if there is some kind of callback occurring when user closes the browser tab? I would like to be able to detect this because I am trying to save logout time stamps for those users that do not explicitly logout (i.e. by clicking log out).
Thank you!
I would have asked you to check the questions on SO first, but I think is no way to do it the way you are trying. Well, check these links: how to run code on window close or refresh and how to detect it was close
Basically you can't. This is one of the reasons why many applications show 'last login time' and not logout time to users, see if that works for you.
Regarding saving the logout time of a user: I would say do not store the value at all. The sessions should be allowed to expire based on configuration: users can be logged out even by staying inactive a long time. A logout time for such users may calculated later, based on their last activity time, (which you can store on each page load/call to your server, when you refresh the user's session timer) and the session timeout value. Now this can be calculated when the user logs in the next time, or using a background process.
You can store the lastActivityDate of the user, and assume that a user is considered offline after xx minutes.
You can try to execute a ajax call on window unload, but if the user has two open pages, and he closed one, the data will be false. It is also not certain that the request reaches the server.
You can set a very short expiration time on your session, and while a page is open, do a ajax regular ping to keep the session open.

Detecting people sharing login / account information for a website

I have a website that contains a secure area accessible by logging in with account info. Within the secure area, I have some expensive IP. I have been finding that people are sharing their passwords with other people. Are there any existing technologies / solutions / methods that I can implement to detect fraud patterns?
Thanks in advance for the help.
check geographical region. If within some timeframe multiple logins from regions geographically far apart log in, then you know those credentials have been shared.
Friday morning a log in from NY, Friday evening a log in from China
bandwitdh consumption: if your site offers lots of content, if a user goes over some high limit, it means its credentials have been shared
max bandwidth 5MB/s; then in one day 60*60*24*5MB is your upper limit per day per user
keep a counter of live sessions so you can see how many people log in at the same time. This is imprecise because the same person can log in through multiple browsers from the same IP and have a session on each one.
if they have 100 sessions (4 times/hr), that seems more than one person can do, unless your site expects this behaviour
There are several ways to approach this. But it's really going to boil down to the type of content and how often a given user really is grabbing new content. For adult websites, obviously the primary purpose of the logins is to download new content. I'm not sure about your site.
One way, and perhaps the easiest, is to simply limit the number of simultaneous downloads and/or rate limit each download.
If the files are large enough, you can impose a rate limit on how fast the data transfer takes place. Pick something that's a little slow, but not slow enough to make people mad. I would guess taking 30 seconds to download a file isn't too bad.
Then, only allow them to download 1 or 2 documents at a time per login id. People will be a bit less likely to share their password if they know that they may not be able to download something because someone else is.
Another approach would be to capture the IP address when the user signs in. Yes, I know this changes, but it gives you a starting point. If multiple users are active with the same login id but with different IPs, then you can either send them an alert stating that their account has been "hacked" ;) and that you are changing the password. Change it, kick everyone out, and send the password to the email address you have on file.
Bear in mind, that you don't want to stop a user from accessing it from work then going home and accessing it there. So, you have to make sure that they are essentially online at the same time. This means getting requests from different IPs within a minute or two of each other.
A twist on this would be to detect if multiple session ids are associated with the same login. For example, when they log in, save the current session id to a table. After they log out or a timeout is reached, clear that session id.
Don't let them log in again while another session id is active. Inform them they have to wait xx minutes until the session is cleared OR that another user is currently logged in with their account.
Ask them if they want to reset the session. This allows for situations where someone accidentally closes the browser and goes back to your site. If they pick yes, then stop the currently active session, change the password and send it to the email address on file.
I guarantee this last one will make people stop sharing their passwords. After all if I can't log in because someone I gave my password to is currently online, then this is a pain point I want to stop. Also, if I'm the one who borrowed the password and just locked myself out because the password changed then I'll either get my own account or go elsewhere: both of which are usually acceptable situations.
https://softwareengineering.stackexchange.com/a/442073/422609 has some detailed suggestions on this topic.
Signals that may be useful:
IP
Device identifier (via fingerprinting or other means depending on platform)
Location
User behaviour
You can also look at other means such as using links to get people to login or multifactor auth that adds some friction to the sharing.
I would think more about what you intend to do once you detect someone sharing it. Is the outcome to get them to pay per user or per organization?
It is quite a tricky issue:
If your users change location several times a day, their IP will change, but it's still the same person.
If your user has the same location throughout the day, but connects several times, it could very well be different users, say, in an internet café.
You will have to use a combination of those: if the user changes IP frequently, go and check the map location of that IP, and see if it's possible to travel the distance in the time between the 2 connections. If it's not, it's a fraud.

Session timeout on multiple tabs

I am using Spring acegi security for single sign on on multiple applications. I need to extend session timeout at client side if user writing something on browser too. If user opended multiple sessions or browsers then i need to consider active session on all the sessions he opened. If he is active then i should not log off him eventhough he is inactive in another sessions.
Please suggest me any ideas how to track and know at the client side too.
Any idea is greatly appreaciated. Thank you.
Running application app1 in two tabs say tab1 and tab2.Timeout is 10 minutes. So we implemented timeout functionalit in java script which is at client side. This code gives Confirm box after 10 min. If user says continue, we are extending the session by firing the alive url. This working if application running in a single tab. Same applciation app1 open in multiple tabs say tab1,tab2. Here applicaiton app1 opened in two tabs but single session. We are woking the application which is opened in tab2 and not using applciation in tab1. So application in tab1 is inactive for 10 min.then application in tab1 giving confirm box and we dont answer to that confirm box tab2 will make applciation to log out. So what is the solution for not making logout as we are working application on Tab2. Any ideas? How to track whether application in active in other tabs?
This is not straigt forword answer. (Since I do not think there is a solution for that)
you could try to fire a pixel(*) between the application and by that extends the session time.
lets say that you have:
app1, app2, app3
the user logged in to app1 and app2 and he is working only on app1. if you fire a pixel from his browser to app2 every http request he made on app1, he suppose to be alive on app 2 as well.
I think that if you fire the pixel every 2 minutes between the applications app1,2 and 3 you can save the session alive between the apps.
I have done this twick in PHP application, it wans'nt so easy, but it is doable.
*pixel - it is a hidden http request that runs a script in the serverside. can do it via ajax, img, script src="", iframe and more.
You should be able to store a lastActivity timestamp in localStorage
User activity in any tab updates the lastActivity timestamp
Whenever the timer expires in any tab it should check the lastActivity value before prompting the user. If lastActivity is older than timeout, prompt the user. If not, adjust the remaining time to show prompt
The simplest thing would be to associate the sign-in session with a shared domain. Say you have app1.domain.com, app2.domain.com, app3.domain.com, BUT you have the SSO take place on domain.com, and they all share that session cookie. This is just a matter of setting the domain on the session cookie-- I believe you can do this in the configuration. Anyway, this pretty easy to do, so if this works with your problem, go for it. (Maybe there's some tricky way to do this without that domain hierarchy, but I'm not sure what it is.)
If that isn't workable, you may need a different way to store sessions. My first thought would be to put the sessions in the database. With these, you can synchronize and centrally manage the timeouts. This may require a little bit of custom code-- but it shouldn't be that much.
Not sure this is applicable, but I wrote my thoughts on implementing timeout on the client side as well.
Modified code in javascript to fire ajax request to server and finding the latest activity.
If latest activity is less than 10 mins then there is no logout.

Resources