Prevent Browsers back key after logging in in laravel 5.4
Hi,
I want to prevent browser back key after logging in into laravel site.
i.e. simply once user successfully logging in into my site then after instantlly it clicks on browsers back key, and it redirects to login page,
it should not redirect on login page after it successfully logged in.
then after it clicks on browsers forword key it redirect user to home page of the site.which would not happen.
please help,
Thank you.
Yeah,
I got the solution,
I simply put this javascript code to my dashboard view file that rander after login.
<script type="text/javascript" language="javascript">
window.history.forward(1);
document.attachEvent("onkeydown", my_onkeydown_handler);
function my_onkeydown_handler(){
switch (event.keyCode){
case 116 : // F5 Key;
event.returnValue = false;
event.keyCode = 0;
window.status = "We have disabled F5";
break;
}
}
</script>
Related
I need a help! I am newbie in chrome extension and I am get stuck with my below case so anyone can look into this case?
We need to load HTML pages with user details by conditionally in default popup box from popup.js file. I have added below code in popup.js. When user is logged-in extension then call "main.html" file (we are storing user details in chrome.storage by using chrome.storage.sync.set() APIs and get that user details by following code in popup.js file).
and when user logout then show "login.html" in default popup
chrome.storage.sync.get(["user"], function(items) {
if (!items.user){
window.location.href = "login.html";
}
else {
$("#usernameId").text('Welcome '+items.user.username);
$("#totCreditId").text(items.user.tot_credit);
$("#leftCreditId").text(items.user.left_credit);
window.location.href = "main.html";
}
});
It working fine but user details are not reflected (username, total credit, left credit etc..) in main.html page, Can you please correct me what I am doing wrong in it?
Thanks in advance!
We have a Single Page App (SPA) that uses Azure Active Directory "Easy Auth", e.g., the code-less solution. This seems to work ok when users first open the the application. They are redirected to the Microsoft login page and they can authenticate and then access the application.
Then, because its an SPA, users will navigate around and only fire Ajax requests. The problems come approximately 24 hours later when the session cookie expires. Users likely still have the same browser tab open and do not perform a full page refresh. Then they may be working on a record and at some point their next Ajax PUT request fails with a Redirect HTTP status and they loose their work.
So they key question is:
How can we make SPA Ajax requests extend a current user's session so that their session will not expire when they are actively using the application?
It seems like the Azure AD Easy Auth service does not "honor" activity on the part of the user, which leads us to believe that the session cookie never gets updated.
Note: We've recently done some testing with the /.auth/refresh endpoint and this does not solve the problem either.
There are several ways you can possibly solve this. Here are a few that I can think of:
Use local storage: The problem you mentioned is that user's lose their work due to the redirects. The problem of losing work can be solved if you persist the in-progress state in local storage so that it's available when they are redirected back to the page.
Switch to using tokens: The /.auth/refresh endpoint doesn't refresh the AppServiceAuthSession when using AAD because AAD doesn't support refreshing the user information. What you can do instead is authenticate with your backend using the x-zumo-auth tokens. The /.auth/refresh endpoint will correctly refresh these tokens. If you're explicitly logging in users using /.auth/login/aad, then you can add the session_mode=token as a query string parameter. This is done for you if you use the Mobile Apps JavaScript SDK. If login is automatic, then you'll need to add session_mode=token in the additionalLoginParams setting of your auth config. You can then parse the authentication token from the #token fragment which is added to the URL after the login completes.
Use hidden iframes: I haven't tried this myself, but if you can get it working it might require the least amount of code change. The idea is that you use a hidden iframe to re-login the user periodically when you detect they are active. The iframe would need to point to something like ./auth/login/aad?prompt=none&domain_hint={userdomain.com} where {userdomain.com} is the last part of the user's email address - e.g. contoso.com. These parameters get passed to the AAD login page, and the login should complete automatically without any user interaction. Test it manually a few times in a browser window to make sure it works correctly. The result should be an updated auth cookie with a fresh expiration.
Let me know in the comments if you have any questions or issues with any of these options.
Expanding on Chris Gillum's answer with implementation example:
Scenario: Single Page Application (SPA) with Progressive Web App (PWA) capabilities, hosted in Azure Web App. Added authentication using Azure Web Authentication/EasyAuth.
Ran into similar/same issue: Initial loads of the SPA worked fine, but after period of hour(s) (token expires) the app "breaks" - in SPA on iOS tablet that manifested for me with endless whitescreen and seemingly no practical fix (force killing did NOT resolve). Error messages thrown ranged from 401 (understandable) to service-worker refusing to process scripts/handle 302 redirects/etc (less obvious where problem may be).
SPA + Azure Web Authentication/EasyAuth tweaks:
If using MDM, disable "Block Safari navigation menu bar" feature in the MDM for this app. This appears to allow the app to work as expected after force kill (it would reload the page, see expired token, redirect to login and then back to the app). I'm not sure if this behavior is controllable in manifest.json, may be iOS specific capability.
Hidden iframe refreshing of token + Timer/check token periodically (in ajax calls, etc):
Note: As of ~2021-04, Chromium based browser worked with hidden iframe method. For other browsers the AAD page would experience errors and fail - current solution suggested would be storing app state -> navigate to AAD login page with redirect param -> User logs in and redirected back to the app -> App state restored w/ refreshed token.
refreshAuthToken() {
//Chrome based browsers work with silent iFrame based token reAuth
if (this.browserChromium()) {
let domainHint = "contoso.com"; //Domain of your organization users (e.g. me#contoso.com)
//Remove existing iframe (if exists), to minimize history/back button entries
let existingFrame = document.getElementById("authIFrame");
if (existingFrame) {
existingFrame.remove();
}
//Inject iFrame that will call endpoint to refresh token/cookie
console.log("Refreshing auth token (quietly)...");
let iframe = document.createElement("iframe");
iframe.id = "authIFrame";
iframe.style =
"width: 0; height: 0; border: 0; border: none; position: absolute; visibility: hidden;";
iframe.src = `/.auth/login/aad?prompt=none&domain_hint=${domainHint}`;
document.body.appendChild(iframe);
new Promise(r => setTimeout(r, 2000)).finally(() => resolve()); //Hacky method of "waiting" for iframe to finish
} else {
console.log("Refreshing auth token (via page reload)...");
window.location.replace("/.auth/login/aad?post_login_redirect_url=/?restoreData=true");
}
},
//
// Timer example:
//
setInterval(() => {this.refreshAuthToken()}, 1000 * 60 * 5); //Fire every 5 minutes
//
// And/or periodically call this function maintain token freshness
//
checkAuthToken() {
//this.authEnd = JWT from /.auth/me "exp" claim
let now = new Date() / 1000;
let expirationWindow = this.authEnd - 600; // Consider token expiring if 10 minutes or less remaining
if (now >= expirationWindow) {
console.log("Auth Token expired - Refreshing...")
this.refreshAuthToken();
} else {
// console.log("Auth token still healthy.");
}
}
Nicety: Enable anonymous access to PWA icons (if possible). iOS requires icons be publicly accessible when saving PWA to homescreen, otherwise uses screenshot of app rather than formal icon: https://stackoverflow.com/a/67116374/7650275
(Cross posted here)
Hi,
I have a sandboxed page (specified in my manifest) which is loaded into an iframe in my extension's background page. From within my sandboxed page, I'd like to open a new window and write to it, i.e.:
var win = window.open(); win.document.write('<p>Hello!</p>');
This works from my extension's background page and from regular web pages, but when invoked from either content scripts or my sandboxed page, the window opens, but I cannot access the win object (it's defined, but empty---console.log outputs "Window {}").
I assume this is due to same-origin policies (with every window being given a uinque-origin within the sandboxed environment). However, since the window opens an about:blank page, I'm confused why this would matter.
Is this a feature? Is there a parameter I can add to my manifest to avoid this? And does anyone know of work-arounds that don't involve using postMessage back to my background page? My ideal solution is to have my sandboxed script open a new window and interact with it directly, not with message passing.
I can provide a full example if necessary, but I'm hoping someone might just know off the top of their head. I'm running Chrome 24.0.1312.57 on Mac and 24.0.1312.68 on Ubuntu if that helps.
Thanks,
Hank
Content scripts, by definition, are part of external regular web pages you load so I'm not really sure how your script could work on a "regular web page" but not the content script. Do you mean the code works when you embed it in your own pages, but not in other pages via the content script?
Regardless, if the script is working properly from your background page, you could always try messaging. (more here: http://developer.chrome.com/extensions/messaging.html)
Script for your sandbox/contentscript:
//send message to background page
chrome.extension.sendMessage({todo: "newWindow"});
In background page:
//create a listener
chrome.extension.onMessage.addListener(
function(request, sender) {
if (request.todo === "newWindow") {
//do your stuff here
var win = window.open(); win.document.write('<p>Hello!</p>');
}
});
Per the cross-post here, the issue is indeed that the opened window is given a unique origin. This was intentional as the members of the standards working group (SWG) felt that it would be more secure to not make an exception for about:blank pages where they inherit the sandbox's origin.
However, to get around this issue, at least for my purposes, I can use the following method. First, forget sandboxing. This workaround uses an iframe embedded in a background page with the src url set to data:text/html,.... This gives a unique origin to the iframe so it's no longer in extension space. That means eval can be used and chrome apis cannot be accessed. Unlike in a sandbox, windows opened from the iframe share that same origin as the iframe, allowing created windows to be accessed. For example:
In a background html page:
<html>
<head>
...
<script src="background.js"></script>
...
</head>
<body>
...
<iframe id="myframe"></iframe>
...
</body>
</html>
In background.js:
...
document.getElementById('myframe').setAttribute('src', 'data:text/html,'+
encodeURI('<html><head>'+
'<script src='+chrome.extension.getURL('jquery.js')+'></script>'+
'<script src='+chrome.extension.getURL('myscript.js')+'></script>'+
...
'</head><body></body></html>'
));
...
In myscript.js
jQuery(document).ready(function(){
...
// To receive messages from background.js.
window.addEventListener('message', function(e){ ... } );
// To send messages to background.js.
parent.postMessage({...}, '*');
// To open AND ACCESS a window.
var win = window.open();
win.document.write('Hello'); // Fails in sandbox, works here.
// Eval code, if you want. Can't do this from an extension
// page loaded normally unless you allow eval in your manifest.
// Here, it's okay!
eval( 'var x = window.open(); x.document.write("Hi!")' );
// No chrome apis.
chrome.log( chrome.extension ); // -> undefined
chrome.log( chrome.windows ); // -> undefined
// No direct access to background page (e.g., parent).
chrome.log( parent ); // -> Window with no properties.
...
});
I have a Home screen with login button. When ever user clicks the Login button login view must open in dialog(popUp window). Here the twist is Home Screen and Login Screen are two different apps in two sub domains.
So I have to open Login View of auth.sample.com in dialog(PopUp window) from my.sample.com app.
Sorry for the bad English. Please see the code below:
<p>
<button type="submit" name="PopupLoginbutton" id = "PopupLoginbutton" value="Popbutton">Login</button>
</p>
<div id="dialog" title="Login" style="overflow: hidden;">
<script type="text/javascript">
$(function () {
$('#dialog').dialog({
autoOpen: false,
width: 400,
resizable: false,
title: 'hi there',
modal: true,
open: function (event, ui) {
$(this).load("http://auth.sample.com/");
},
buttons: {
"Close": function () {
$(this).dialog("close");
}
}
});
$('#PopupLoginbutton').click(function () {
$('#dialog').dialog('open');
});
});
</script>
Views can only be accessed if they are in the current MVC3 project. If all you want to do is show the login screen, you should just show the popup using the full URL (http://my.sample.com/login).
If you want to pass information to the login app, then you would have to use a form and POST/GET to the full URL.
If I understand your position correctly, you want to provide access to content or an area of your site, but only if users are logged in. Are you looking to provide log in capabilities to your new site through the existing auth of your subdomain?
Unfortunately this won't work as you describe, if you're using common methods for authentication and authorization. Logging into a different sub domain isn't going to get you where you're trying to go. I can't log into my bank and then check my email.
You can POST wherever you like or even use JS to load content from other sites/domains (if the end-users permissions/config allow), but your token in the browser to represent a logged in user won't carry over from one domain to the next.
There are several approaches, here are a couple of common ones:
Create a custom MembershipProvider and RoleProvider. These would allow you to use the server-side logic you already have to your access your authentication service.
Configure your new site to use the same membership provider (and database) that the subdomain is using.
Build a web service and tokenization strategy to expose identity from your existing subdomain, and incorporate that into your site.
Number 2 is the easiest, if you own the subdomain. Number 1 isn't too hard if you can wrap the calls to the membership service. If your subdomain is third party, however, and it locks up the user database then you won't have much luck here, unless they provide a means to wrap their login services.
Hope this helps some.
Cheers.
When I sign out of Sharepoint 2010, I close my browser. When I attempt to go back to sign-in, I see that I am already signed in. All of my browser instances are closed. This is using Windows Authentication, but I usually have to sign-in when logging in for the first time to my machine or deploying a webpart.
I'm not sure I see a question here.
What I believe is occurring is SharePoint is delivering a cookie to your browser that is authenticating you. To test, you can go into your browser settings and delete your cookies and then try to access the site again.
go to C:\inetpub\wwwroot\wss\VirtualDirectories\potrt number
<script runat="server">
void SessionAuthenticationModule_SessionSecurityTokenReceived(object sender, Microsoft.IdentityModel.Web.SessionSecurityTokenReceivedEventArgs e)
{
e.ReissueCookie = true;
e.SessionToken.IsPersistent = false;
}
</script>