On website I'm working on I need to be able to modify variables within active sessions depending on some server event. I have identified that there is the list of sessions in SessionBag variable (within Service) so I am wondering how I can search this collection to get certain users session and modify it if needed?
Related
This question is regarding authorization, not authentication which i will be managing with passportjs. How do i restrict access for data that's bound to specific users without spreading user_id's all over every table in the database?
Should i create a new database user for each new user of my app and restrict access that way? Or is the "user id in every table" approach actually a good way to go?
I'm working on a project right now where someone else wrote the authorization logic and it works using a kind of authorization path in the code so it can find which user a resource belongs to using some breadcrumb logic.
But I'm really at a loss here and I'm having a hard time finding any information regarding this since almost all articles that I find are about authentication rather than authorization. And I do not mean access to a resource, but rather the filtration of data returned from a resource that the user has access to.
If you want to restrict access of users to certain objects, you either have to store that information with the user or with the object.
The latter is the preferred way because it makes permissions disappear with the object. That's the way PostgreSQL does it – it stores an access control list (ACL) with every object.
So you can either use PostgreSQL to implement privileges (then every application user or at least every group with equal privileges has to have a database user, and you can use permissions on tables and columns and row level security), or you implement it in your application and have some sort of ACL with every row in the database.
Im running a Azure Webapp with application insight.
I know Microsoft cant show the real IP (Client_IP) so I add the real IP address to all requests (Ip).
I have a visitor client_id="h9zbt" that in the last 24h is using 48 different client_IP adresses.
The same user also has several real IPv6 adresses.
I like to block this IP from my website, but I think this looks so strange.
Is it really the same user?
How is Application insight tracking the User_Id?
Image link
Usually application insights is automatically opening a session automatically for each user (look for the ai_session key). Therefore the default user scope would be a session scope.
You can override this behaviour by sending a user context if you have some kind of sign-in. (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context)
I find it likely that it's the same user on the same device, just using several IP-addresses, maybe as an unsuccessful attempt to stay anonymous.
User IDs should persist across user sessions to track how users behave
over time. There are various approaches for persisting the ID.
A definition of a user that you already have in your service.
If the service has access to a browser, it can pass the browser a cookie with an ID in it. The ID will persist for as long as the cookie
remains in the user's browser.
If necessary, you can use a new ID each session, but the results about users will be limited. For example, you won't be able to see how
a user's behavior changes over time.
The ID should be a Guid or another string complex enough to identify
each user uniquely. For example, it could be a long random number.
If the ID contains personally identifying information about the user,
it is not an appropriate value to send to Application Insights as a
user ID. You can send such an ID as an authenticated user ID, but it
does not fulfill the user ID requirement for usage scenarios.
mentioned in Azure doc.
https://learn.microsoft.com/en-us/azure/application-insights/app-insights-usage-send-user-context
I need to create a temporary working space for each client that is not logged in (a folder on the server) before the client logs in.
I am currently using the ip address to create an object but there can be more than one client with the same ip if they come from the same client LAN.
These clients will end up at the same folder and their work will be commingled.
How do i differentiate for these clients?
I am working with MEAN stack
Since you have clients that can log in, create the folder for those users based on their unique identifier (like their database id) when the user information is created. When they log in, you will know what folder to use.
You could use cookies or some browser session to assign unique identifiers (uuids?) to users as they hit your site. You could use browser-fingerprint and/or uuid to assign unique values.
How would I retrieve all valid sessions for a specific user? For example, if the user is logged in from multiple devices and decides to change password, or reset password. I need to be able to expire all active sessions and log the user out of all devices. This is specially important if the user is suspecting that his/her account has been compromised and needs to change the password. Currently I can retrieve RMEs but not sessions. I know this is doable from the UI but I need to put this feature in an SDK or API. Is there a curl command to easily achieve this?
Sarah,
Currently there is no endpoint that will let you invalidate all user sessions.You would need the session token of each session and then call the /json/sessions/?_action=logout REST endpoint multiple times (once per session).
That being said you can use the following class to get the list of sessions for a particular user:
com.iplanet.dpro.session.service.SessionCount
You can read the javadoc here.
There are some constraints for using this method though. Session Quota must be enabled. You can enable Session Quota on the admin console by going to Configuration -> Global -> Session page and:
Set the number of "Active User Sessions"
Turn on "Enable Quota Constraints"
To sum up, you can create your own custom endpoint that will take the User ID and invoke SessionCount.getAllSessionsByUUID(uuid) to get the list of active sessions. After that, you can iterate through the list of sessions and invalidate them one by one.
Hope this answers your question.
We have a Web Role which used to run in a single instance for some time. To cope with higher loads (and to get a better SLA) we're currently migrating the role to support multiple instances.
The role uses Forms Authentication (with a custom membership provider), and our understanding was that we would have to enable some sort of shared session state between the instances, so if a user signs in on instance 1 and gets his .ASPXAUTH cookie, then instance 2 knows about this cookie.
We did that, and currently the role is running on two instances, and everything works well. We tested that a user stays signed in, even if his request is processed on the other instance than the one on which he signed in. If the user doesn't sign in, access is denied.
We also checked whether the TableStorageSessionStateProvider created a table in the Azure Table Storage account, and indeed, there is a table Sessions with PartitionKey, RowKey and Timestamp columns.
But, to our astonishment, the Sessions table always stays empty. No matter how many users are signed in, there is no data in the table.
How can these instances communicate, if not through the Sessions table?
You're mixing up two different things here: Authentication and Session State.
It's true that, in order to use Session State with multiple instances, you need a shared store (InProc won't work). In that case TableStorageSessionStateProvider would work since all instances have access to the session data stored here. Session state is used when you store something in the current session of the user, like a shopping cart. And you would call it like this: Session["UserShoppingCart"] = shoppingCart;.
But what you're describing in your question has nothing to do with the Session State, it's all about Forms Authentication. When you authenticate on instance 1, you'll get a ticket in return (stored in the .ASPXAUTH cookie). This ticket is encrypted and signed and contains basic information like your username, expiration, custom user data, ...
Now that you have multiple instances it could be that the next request lands you on instance 2. And I think your question was, how do the instances communicate? Well, they don't. Whenever the request starts, before it reaches your page or your controller, the FormsAuthenticationHttpModule kicks in and looks for the .ASPXAUTH cookie. It checks the signature, decrypts it and then fills the HttpContext.Current.User with the information from the cookie (the ticket).
The only link between the instances is the machineKey (used for encypting/decrypting/signing/validating the cookie). Whenever you deploy multiple instances in Windows Azure, the Fabric Controller makes sure all instances get the same machineKey. This way, instance 2 will be able to decrypt and validate the ticket encryped and signed by instance 1.