We have a web application which uses local storage (IndexedDB) and if clients use private browsing in Google Chrome (Incognito Mode) or Safari (Private Browser) when they close those windows they loose all the data in local storage. We wanted to find a way to just disable the login button in the web app if they are in private browsers. Is there any way to find out if user is using privately.
Related
In our project we've built an Azure Function which launches Puppeteer in headless mode, goes to our webpage and takes a screenshot of the page which is then emailed out as pdf report. Works locally and deployed to Azure. That was the POC though. Now, we're moving to production and introduced authentication (Azure AD B2C, single tenant), will run each http request via APIM etc.
What happens now:
our Function app was registered in AD as a daemon and receives an access token.
this access token is inserted into 'Bearer ' Authorization header in Puppeteer (page.setExtraHTTPHeaders)
headless browser does not get authenticated and screenshot we receive is of the login screen (Azure SSO)
What needs to happen
we need to convince the react-msal library our FrontEnd is using to authenticate users, that the headless browser should get authenticated and allowed to render the page
The solution I've come up with so far is to replicate msal-react's logic of saving session information into Puppeteer's session storage, so that when msal-react checks for persisted session it will find it and allow headless chromium in. I'm yet to implement it. I'm curious if anyone in the community has experience building something similar.
I'm trying to prevent unauthorized access to the google cloud console, via desktop and also via mobile device.
Via desktop, for example, when I try to access the admin workspace, even though I already have my account logged in, it asks me for the password again, I think that's good, would it be possible to do the same when accessing the google cloud console?
Let's say I got careless and left the computer unlocked with the browser opened, if the attacker tries to open the GCP console, he would succeed, I'm not comfortable with that.
And especially via mobile, let's say someone takes my phone and manages to unlock it, it would access the console freely.
Of course I've already enabled 2-factor authentication on my account, but as I said, if someone took my cell phone and managed to unlock or even unlock my computer, the attacker would access it without any difficulty.
At least configure to request the password again, is it possible to do with GCP?
Thanks!
One can set a very low session length time window: https://support.google.com/a/answer/9368756?hl=en
While one is at it restrict access based on IP address: Can you restrict Google Cloud web console logins to an ip address range?
Finally one can restrict service apis to private vpc ranges:
https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity
What this all does is:
A) timeout the session while your away from keyboard
B) restrict web/mobile console logins to a whitelist of trusted /32's
C) restrict access to GCP to a trusted VPC and VPN connection.
There is a third-party google chrome extension that has been written to interact with my website. It automatically logs a client computer into my website and then submits information to a particular page on my website.
Once this client computer is logged into my secure website, is there a way for this Chrome extension to extract information from other pages that would only be visible when a user is logged into my website?
Yes, chrome extensions have full access to everything you are doing in the browser while the extension is enabled.
Because of security reason it is not allowed to access web browser client's device file from the web application. Is it possible to get an access after getting permission from client user? How one can achieve this?
Note: Web application is written in NodeJS.
You can create a client side application using NodeWebkit. It has been renamed nw.js it allows you to create a desktop application which can make the standard HTTP, etc... requests to your server. You can also wrap your application in order to make it a downloadable mobile app.
I have a beta web application which I want to password protect. I would like to lock down the whole folder as one does in IIS which then force the username/password popup. I have done this with my previous shared host on IIS7. However now that I have migrated the site to Azure Websites, I cannot find a method to do this in Azure.
All feedback, that I have read, on this seem to say that it is forms authentication only. Is this true, or is there a way to password protect a complete Azure Website?
Thanks,
EDIT:
I do authenticate within the web app, since this is a requirement of the web app, but I want a simple password protection over all of this that was external to the application.
Use HttpAuthModule nuget.
You can install Nuget package with Visual Studio. Right click on the project for the website you want to secure. Click "Manage NuGet packages". In the browse tab in the search box, search for the phrase "HttpAuthModule". Select the resulting module and click install. This should install the package and make some changes to your web.config file.
Open the web.config and then edit the settings, in particular change the "value" for the "credentials" parameter to be a "username:password;" of your choosing. Now run your site and you should be prompted to enter a username and password.
Another option which is now available is to use the new Azure Websites Authentication / Authorization feature. This enables you to quickly and easily add Azure Active Directory login to your entire website without any code changes. It also works with site slots, so you can have a beta version of your site in a staging slot which is protected by a login page, and a production version which is exposed publicly.
Blog Post: http://azure.microsoft.com/blog/2014/11/13/azure-websites-authentication-authorization/
Demo Video: http://azure.microsoft.com/en-us/documentation/videos/azure-websites-easy-authentication-and-authorization-with-chris-gillum/
This may also be of value if you want a very light weight Forms auth solution:
https://web.archive.org/web/20211020135904/https://www.4guysfromrolla.com/articles/122408-1.aspx
source code example: https://github.com/fernandoacorreia/StaticAuthSample
use sha1 password https://msdn.microsoft.com/en-us/library/da0adyye(v=vs.100).aspx
create sha1 of password http://www.sha1-online.com/
bonus: force serving over https: https://selimgueler.azurewebsites.net/how-to-configure-azure-web-sites/