I logged in to hybris application. after 30 minutes of idle time when I try to access User profile page it is asking to sign in but it is showing my username and Sign Out option. How to manage this session.
If you want to increase the session timeout ? Under your config folder, update all web.xml file of all extensions where you want to update the session timeout, and change the session-timeout :
<session-config>
<session-timeout>30</session-timeout>
</session-config>
Also you might need to update :
default.session.timeout=(time in seconds)
Have you configured the remember-me ? what version of Hybris ?
This is the soft login feature implemented in the hybris.
This happens because of autologin feature. When session dies. Autologin filter creates new session according to rememberMe cookie.
RequireHardLoginBeforeControllerHandler looks for acceleratorSecureGUID in session, but session is newly created and it has no this attribute.
From the version 5.0.0, the Accelerator Storefronts will support Remember Me Authentication (Soft Login) which will automatically log a customer into the storefront based on a cookie. This uses Spring's TokenBasedRememberMeServices implementation. Your own implementation only needs to redeclare the rememberMeServices bean to be integrated into the process.
Using Spring's Remember Me Authentication allows the Accelerator to make use of Role based authentcation tags, so for example certain links can be easily hidden or shown based on the user's login state.
A Remembered / Soft Logged In customer will need to provide their password and log in fully in order to access their Account or to proceed through Checkout.
Therefore, if you need to manage this, you will have to handle it via the RequireHardLoginBeforeControllerHandler or the rememberMeServices.
Hope this helps.
Related
I have successfully installed liferay 7 and configured CAS 3.6 for SSO. Everything is working fine. I was able to create users, assign roles, create pages etc etc.
After few days, I was trying to create a new user via admin, I got warning "User 30810 is not allowed to access URL https://mysite:8443/group/control_panel/manage and portlet com_liferay_users_admin_web_portlet_UsersAdminPortlet". I could not able to create user. and from then that user does not have any permission that I use to do earlier.
I googled a lot on this, got few suggestions like
1) Adding below in portal-ext.properties:
redirect.url.security.mode=domain
redirect.url.domains.allowed=*.mysite.com
session.timeout.warning=0
session.timeout.auto.extend=true
2) Some links:
https://web.liferay.com/community/forums/-/message_boards/message/92226678
3) Somewhere it is mentioned that this it is bug with liferay started from liferay 7 GA4
4) If you read the link, it is mentioned that it related to Guest user and session expiration that starts causing this issue etc.
Had any one gone through this issue? Is there any solution or workaround for this?
I could not able to update this question with all the option I tried or solutions that is mentioned on google or liferay's official jira sites however I will keep updating this question with proper references.
Meanwhile
Do provide your suggestions/solutions.
"this starts happening when some session automatically logs out"
This phrase tells me several things, like the possibility of an user logging out even though you set "session.timeout.auto.extend".
Two basic scenarios where this can happen is:
When you close your tabs, after the assigned timeout, the user will be logged out. And when you got back, especially after a browser crash or using the back button, your browser used old data.
When you have the auto session extension working with a big timeout, leading to the possibility that the session timeout configured in Liferay being bigger than the one configured on the server.
On the last case, one might be interested on completed the config you exposed with short timeouts.
session.timeout.warning=0
session.timeout.auto.extend=true
session.timeout=5
session.timeout.redirect.on.expire=true
I know it is an old thread but it may help someone...
The "extend session" functionality is not working correctly and the final user session is expired, so when they try to log in, they have the wrong CSRF token from the previous session:
You have to double-check that the session.timeout Liferay portal.properties has the same value as the session timeout configured in your application server.
You have also check that the session.timeout.auto.extend.offset is greater than 60 seconds to avoid having problems with the chrome javascript intensive throttling
I have some problem in this specific scenario:
If my XPages application
If I have my Domino HTTP configure with Single server setting the Ext.lib Keep-Alive control work well...and my session don't expire.
But I I use Domino HTTP configured with Multiple SSO (LPTAtoken) with Firebug I see the Ext.lib Keep-Alive control work well (I see the PING request) but I don't know because my session expire.
Have someone any suggest for me?
Tnx you
p.s. my release in 9 social on linux 32 bit
What kind of key did you use when you created the LTPA token?
When using WebSphere LTPA keys, a token is assigned and it will expire when the time specified in the field Expiration (minutes) elapses, no matter whether you are actively using your application or not.
When examining the documentation for products that use WebSphere server (Sametime, Connections) I found that IBM suggests to set Expiration time to a long interval (such as 600) minutes to minimize the risk of users being logged out in the middle of a working day. I admit that this does not sound like a good suggestion security-wise.
I assume it is the same when using Domino LTPA keys, with the added option of being able to specify Idle Session Timeout.
So, you can either increase the token expiration interval (depending on your requirements this could be an easy fix) or go with Stephan's suggestion. I don't know how to code his approach, but if I find a solution, I'll update this answer.
In a single server setting the server tracks the validity of the cookie. So whenever you hit the server it is updated. In a multi server environment you get a new cookie before expiry. So you need to process the incoming cookie to replace the predecessor. Easiest way using a regular page and an iframe
It seems that when login with remember me feature, the user attributes (comming from AttributeRepository) are not refreshed.
The use case :
A user logs on monday. Its attributes are retrieved.
On tuesday, its attributes change (roles for examples).
On Wednesday, when it returns to the sit and authenticate via Rememberme, its old attributes values are returned by CAS server.
If the user logs out and then logs in, its attributes are normally refreshed.
How to refresh the user attributes when login via remember me ?
I'm using CAS server 3.5.2.
Currently, those attributes are not refreshed. The attributes are retrieved at TGT generation time and serialized to the database (they are stored with the principal which is attached to the ticket). The CAS4-api branch solved that issue by always delegating to the underlying attribute repository which could decide to cache the attributes for a period of time. There is some work being done to transfer some of the API-branch code into the trunk, but not all of it is. If you want to see this in there, you should open a JIRA issue with this bug. I can provide details in the ticket on why this is happening and ways it can be fixed.
When a user hits login page of a Portal (it could be Liferay, Jboss Portal..), JSESSIONID cookieis created by the container. After entering credentials in the login page, same JSESSIONID gets carried over.
Here, end user will come to know the JSESSIONIDbefore he could get authenticated (by checking the JSESSIONID in the login page). This will increase vulnerability of the site for hacking because one can know the JSESSIONID before one gets authenticated.
This post advices to have a different JSESSIONID after authentication.
So, creating a new JSESSIOND can be achieved by Portal server being used (am using Liferay CE 6.0) or it has to be handled by web application developer? If it has to be handled by web application developer what is the best way to do? request.getSession(true) is the only option?? If I need to instruct Liferay to create a new JSESSIONID after authentication how it can be done?
This looks a lot like the session fixation problem I solved for Liferay 5.2.5 a long time ago. The solution consists of creating a custom Tomcat Valve that will force a new session ID. So the solution isn't really specific for Liferay and is dependent on if you use Tomcat or not.
I suspect it shouldn't be too difficult to adapt my old solution to a newer Liferay/Tomcat combination. You can find the necessary information about my solution in my old and currently unmaintained blog (if I only had more time...): Fixing session fixation in Liferay
The problem here is not that the user knows the session ID (the user always knows it, it is sent by his browser). The attack scenario is that the user, while logged out, clicks on the link that already has JSESSIONID embedded, then authenticates and this session becomes a logged-in session. Now someone who initially created the link can use the same session to act as the user. More details at https://en.wikipedia.org/wiki/Session_fixation
So yes, use the web or app server to re-set session ID after a user authenticates. You do not need to write it yourself. For Tomcat 7: http://www.tomcatexpert.com/blog/2011/04/25/session-fixation-protection
You can fix this issue by setting the following property to true like Liferay has as default.
#
# Set this to true to invalidate the session when a user logs into the
# portal. This helps prevents phishing. Set this to false if you need the
# guest user and the authenticated user to have the same session.
#
# Set this to false if the property "company.security.auth.requires.https"
# is set to true and you want to maintain the same credentials across HTTP
# and HTTPS sessions.
#
session.enable.phishing.protection=true
#Thiago:
This session.enable.phishing.protection=true is by default true in portal.properties. Anyhow, I have added this entry in portal-ext.properties. But, even then JSESSIONID remains same before and after login.
I have implemented a filter as per this link. After implementing this filter, when I hit login page of Liferay, one JSESSIONID gets created. After I enter the credentials and login, the same JSESSIONID is retained.
I have implemented this filter in a Servlet and not in any of my Portlets or in Liferay's ROOT application. My Servlet is deployed in LR + Jboss AS bundle. Am first hitting the Servlet and from here I have a link which will redirect to Liferay's login page. I have implemented this filter in my Servlet because Container will append JSESSIONID for first time request as it doesn't know if cookies are enabled or not. Since, JSESSIONID is getting appended, am not able to retrieve my images in Servlet (because url is myImage.jpg;jsessionid=). Hence, I have implemented this filter.
Is this filter conflicting with Liferay's configuration? Even after setting session.enable.phishing.protection=true same JSESSIONID is retained means what else could be the problem?
Put this code inside the portal-ext.properties.
It will fix the problem, each and every time logged in, new session id will be generated.
session.enable.phishing.protection=true
com.liferay.util.servlet.SessionParameters=true
How do i remember sessions, even after browser is closed.
is there any alternative than extending expire time of cookies.
i am using code igniter
I implement my version based on this article. The article explain a concept, security, and how to implement persistent login cookie.
The summary of what I done is:
Create a table to hold persistent cookie series and token (series is needed to detect if the cookies got stolen).
I write the model to create required cookies (separated from normal CI session).
The model also do database
read/write of the used persistent
cookies.
I integrate this model to existing user model that handle
normal authentication.
When user go to page that need relaxed authentication, without
normal CI session, but have
persistent cookie session in his
browser, my code will recognize it
since the same series and token also
stored in the database. The user
will got a normal CI session, but
with a flag that this session is
generated from persistent cookies,
not from login form.
When the user go to 'sensitive' page that demand a CI session
without persistent flag, then user
will be logged of, and sent to login
form (if you use yahoo mail, then it
similar with that). This usually the
page where user can do
add/edit/delete, and see sensitive
information.
I hope this help.
The cookies is that only solution i suspect. As you said, you need to extend the time. However if you wanted to use PHP sessions instead, you to make sessions life longer using php.ini file but i don't think using sessions for this purpose will be a good idea because data of sessions is stored on server rather than individual user.
Thanks