I would like to configure the custom policy so that
A user who has not been active for more than 1 day will be logged out and forced to sign in again.
If they continuously use the app then they their session will be able to keep on using the app more many days
But after 30 days, even if they've been using the app everyday, they will be forced to log out, and need to login again. Is this possible?
I tried to accomplish this with web session but can't seem to find a way.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior
It might not be 1 day rolling and 30 day upper limit. Maybe it's 1 hour rolling session and 1 day upper limit. So user will need to log in again after 1 hour of idle, or if they keep on using the app, they will need to login again after 24 hours.
Set the following:
1hr access token lifetime
24hr refresh token lifetime, absolute length (fixed 24hrs for SPA apps). Reduce this time below (3) to give higher chance of web session being extended.
24 hr web session rolling. Only extends when (2) expires but (3) is still valid.
It gets the closest to your requirements.
The standard refresh token time is 24 hours so that should cover the day of inactivity.
You shouldn't need a rolling session.
Make the web app session timeout "Absolute" which indicates that the user is forced to re-authenticate after the time period specified.
In terms of the forced password reset, look here.
Related
Concerning cookies expiration time what is the best practice for a secure application ?
The login system is a SSO that I can't manage, so the ["remember me"][1] option is not possible.
There are 2 solutions
Time expiration, the cookie would expire after a specific amount of time, i.e. 4 hours. But if the user use a shared computer and forgot to log out, another user could access the web application.
Session expiration, the cookie would expire after the web browser is closed (or [even worse][2]. But what if the user never close his session and always keep is computer turned on. The cookie would never expire even if the user doesn't need access to the web application.
Is there not a way to do both at the same time? Base the cookie expiration on the session with a maximum duration of time...
NB : Believing in a security aware user is a sweet dream, thus trust in the user log out is not feasible.
.
[1]: What is an acceptable expiration time for a cookie
[2]: When does a cookie with expiration time 'At end of session' expire?
Since no one else has taken a stab at this question, I'll hopefully get the ball rolling, lol. I'm not sure if this will exactly answer your question, but I'll try my best :).
I think that given the 2 solutions you have presented, along with the dependency of the user behavior, I really don't think there is a good answer in terms of "best practice" (which may also be subjective).
If both solutions were used (that is, a cookie that expires after a specific amount of time [i.e, 4 hours] OR at the end of a session) you would also take on the "con's" of each of those approaches. So, if the user forgets to log out within the expiration period and does not close their session, there is an issue.
So what I am saying is that in any case, the security is based on the user behavior and there will always be these flaws. Using a mix of solutions (defense-in-depth), as you have suggested, is a good line of thinking.
I have an instagram feed on my website, i created a developers.facebook.com account and made a long lived access token.
However after 60 days I have to log back in and get a new token.
You can renew an access token before it expires.
My question is... can I or should I just create a script that renews the long lived access token server side every time the page is refreshed?
Seems a bit annoying to do that to instagram servers... but what other methods would I have.. i don't know how to run a script every 59 days to get a new token..
Any ideas?
Thanks
The renewal can be done only on tokens that are older than a day, so running it before that will make no difference. So, with that in mind, I run the refresh code with every call to the API. If it's already refreshed it will be ignored, so practically it will only get refreshed once a day.
Also, it's worth noting that Instagram limits the number of calls that you can make, so calling the API with every page refresh doesn't sound like a good idea. To avoid running out of quota, I cache the results and only call the API once per hour.
Here's a more detailed explanation of the exact steps that I took. It's been written with WordPress in mind, but for the most part, it doesn't matter much.
Wondering how this is typically implemented. Examples of always logged in websites are StackOverflow, Facebook, and Twitter. It seems like you'd have to have a background job regenerating the session ID (assuming you store session by ID in a database) before the session expires (say you tell the cookie to expire in 5 minutes). So every 5 minutes every session would be regenerated to keep it logged in while also keeping it secure. But before going down that road I'd like to know if this is how others implement it or if there is a more standard approach.
As far as I know, this is how it is done in majority of websites.
A cookie is set with an access token and limited life(of course, if the user checks on'Keep me logged in'). If the user comes to visit the site within that timespan, he is logged in and a current session is generated(from the server). And, the cookie timespan is reinitialized to the pre-decided time.
Say for example: I log in to a website example.com and check its check box, to keep me logged in. Now, as soon as I click the login button and and validated by the server, the server generates a session(for current session) and a cookie(for future sessions), with a time limit of say 1 month. Now, If i come back on say 29th day and open example.com, I shall automatically logged in using the token set in the cookie. The cookie will send my info to the server and the server shall generate my current session. Most importantly, the server will reset the cookie to expire after one month.
If, I return to the website after 30 days, then the cookie will either force me to login again.
I hope my input would be of some help to you.
Since a registration's expiration time is 90 Days.
So I plan to check first for every concern devices/registration before sending any notification.
Because I don't want to keep anything on server.
However, I'm not sure if it's good idea to do
Is it slow to do for lots devices ?
Also, I can not find a way to set Expiration time of any registration
So I've never seen result when sending to expired device ?
Can anyone suggest ?
the common recommended approach is to refresh registration on every app start-up per documented at https://azure.microsoft.com/en-us/documentation/articles/notification-hubs-registration-management/. This ensures that Notification Hubs holds the most recent token provided by the device PNS.
Really weird authentication problem going on - hope someone can help!
The Domino Web Server Log database shows all the requests a particular user is making for pages in an application I look after. The application is XPages-based and the user is regularly pressing Save on the document she is editing (every few minutes). The save does a full update.
The LTPA token is valid for 30 minutes - I assume however that every time the user performs a full update, the 30 minute token is renewed?
However, when looking at the logs, a save of the document at 09:05 shows the Remote User by name, another save at 09:07 still shows the user by name. The next save at 09:11 shows the remote user by IP address instead, and when you look at the log entry in more detail, the server has replied with 401 UNAUTHORIZED (The client is not authorized to access data). This has of course caused the user's browser to lose the work they had open at the time.
The Cookie on each log entry shows :
LtpaToken=AAECAzUwOUI2RjRCNTA5Qjc2NTNDTj1Bbm5lIExhdm91ZS9PVT1VSy9PPVJVSyvsCs5c4tITD9elgI0BCN5CnZ0O; SessionID=DBDFDKDGTI
The same LTPA Token and session ID for entries where the save document worked, as well as where it failed.
Unsurprisingly, they have then refreshed the session by closing the web page and going back in to it following the error and they get a new LTPA token and session ID.
The LTPA Token validity setting of 30 minutes I refer to is defined by our admins in a Web SSO Configuration document for the server, in the "Server\Internet Sites" view in the NAB. It's the Token Expirations (Minutes) setting. Am I completely misunderstanding this setting - should the timeout be renewed everytime the user does a full submit to the server? Or is something else going on here?
I don't think the token is renewed. It times out no matter if the user is active or not.
You could increase the expiration timeout to a reasonable high value and then add a lower minimum timeout to ensure that sessions doesn't timeout too soon.
Here's an example where expiration is set very high and timeout is set to 2 hours: