I would like to have a website opened only once on a browser. I want to force somehow to have only one tab opened. What solutions do I have?
I need to make it work on any browser.
You may find a way using a request counter in a session cookie. In every server response the counter is sent back incremented. Per JS you can compare cookie and counter. Should there be a difference of more than one some other tab is sending requests as well. Obviously, you may encounter race conditions.
Related
A basic question:
I have an angular site with Login page and captcha. I need to activate the captcha only after 3 attempts to login.
I have a counter for this. Locating it in the component itself won't work because refreshing the page is setting it to 0;
I wonder can I store it in the login service - concerning whether it will be a common to all the users reaching the service, which will be a problem - Am I correct ?
(The other option is to store it as a variable of the session (express-sesion) - this should probably work)
Hum...
I assume that when the user is login in, the front make a http call to your back-en to check is the user/password couple is correct because all the security must be on back-end side.
Knowing that, I'd say that the counter must also be on the back-end side.
If you put the counter on the front side, a simple refresh of the page or a clear of the browser storage, will bypass your counter.
You can store it in express-session, if session is started even for not authorised users. Otherwise, you should store counter by username in some database. Try rate-limiter-flexible for that. You can make your login system even more robust with it.
I've investigated it, here are my conclusions:
There are 2 optional answers to this question:
1. If you (I...) want to have the counter in the context of the client, meaning -whenever I leave the browser and open a new one - the counter will be reset, and only in this specific browser I will get the captcha afetr 3 tests, then it should be managed in the sessionStorage.
2. If you want to have a persistence between browsers, meaning no mater what window browser (from the same kind, i.e.- chrome, IE or FF) will you open - the counter is shared between them and if you have a captcha triggered from one of them it will appear in all, when refresh them - then you can manage it in the express-session as #animir mentioned
I am building a web app wherein a user can like some choices displayed on the page.
I want to build this like/unlike system in the most efficient way possible. Does every press of the like button need to send an http request to the node.js server to modify user data in Mongo?
I'm asking since I will be having a python script as a recommender system that listens to every change happening in MongoDB.
Yes, every click should go to the server by making a callback. Someone can say that:
you can also do tweaks with this functionality like pop all the ids of posts liked by a specific user in an array and send it back at the end of its session or after a specific amount of time.
But think what if that array somehow lose the data by mistake ? Or the session is failed due to some reasons? Also, how will other users see that which post is liked or not ?
See these are the reasons we always send the response back each time. However JQuery and other frameworks are there to make it fast.
Does every press of the like button need to send an http request to the node.js server to modify user data in Mongo?
You need to get your data to the server somehow, yes. An HTTP request is generally a good choice, and doesn't have to be as heavyweight as it once was.
Firstly, your server should be enabling HTTP keep-alive, where the underlying TCP connection stays open for some amount of time once the request is finished. That way, subsequent requests can be made on the same connection.
Additionally, you should ensure you have HTTP/2 enabled, which is a more efficient protocol due to its binary nature. More importantly, headers like Cookie and what not aren't sent over and over again.
By following these best practices, you'll find that your request/responses are just a few bytes down the wire of an existing connection. And, you won't have to change anything in your code to do it!
I have a web page that sets a cookie with document.cookie = value, and it works perfectly while running on the server.
However, in my cucumber tests (with Poltergeist/PhantomJS), the cookies are not persisting from one page to the next.
The test flow is:
page A opens
user clicks a button, which triggers JS to set the cookie
user clicks link to page B
page B has a component that reflects the cookie's value
In a real browser against a running server, it's fine.
But in cucumber, step 4's display shows that it's seeing a blank cookie.
Does anyone know how I can fix or investigate this?
Turns out I got some bad advice from some other page, which was actually interfering with Poltergeist's natural behavior.
I took that crap out, and Poltergeist worked. I have since implemented a better alternate way of setting cookies in tests, and all is good.
By popular demand, here is the cookie-setter code in my test-step:
case Capybara.current_session.driver
when Capybara::Poltergeist::Driver
page.driver.set_cookie(k,v)
when Capybara::RackTest::Driver
headers = {}
Rack::Utils.set_cookie_header!(headers,k,v)
cookie_string = headers['Set-Cookie']
Capybara.current_session.driver.browser.set_cookie(cookie_string)
when Capybara::Selenium::Driver
page.driver.browser.manage.add_cookie(:name=>k, :value=>v)
else
raise "no cookie-setter implemented for driver #{Capybara.current_session.driver.class.name}"
end
IMPORTANT CAVEAT: If you set your cookie via a test step with the above code, your page's Javascript might not be allowed to overwrite it. If your test needs your page to alter the cookie, you may find that the cookie never gets altered.
I am working on a financial web application.
There is a client requirement that if user is logged in and already browsing the app. If he copies and pastes the browser url to another window. In another window, the user should get logged out.
I know http is stateless and there is no inbuilt browser mechanism (cookies etc) to solve it, this needs to be implemented by programming only. I guess people have already solved this problem. Do you know know possible solution to solve this issue?
Sadly, there is no solution.
The browser keeps the cookies and all of the user informations for all the Tabs & Windows you open. It will clear the datas (like cookies that ask to be removed after the session) as soon as you close ALL tabs and windows of your browser. Note that if the user use another browser, the behaviour your want will be respected — browsers dnn't (yet ?) share this kind of informations.
It is simply not possible to solve the problem with code, and you'll have to find work-around.
As a researcher, I've seen one of these solutions : de-auth the user on the HTTP_REFERER (Apache Env. Variable). As soon as the referer was not the application itself (except for the login form), the user was de-authed. But take care of it : the Referer is an info sent by the browser. And no information sent by the browser should be trusted :). The advice remains, if only you want to use Javascript. You'll find someone to use a JS-disabled-browser to bypass your verification.
That's why Application Development is not yet dead ;)
Cheers.
K.
I have an application where any request on a page must be inserted to a count table , however how can i check if the requesting is a real user not some tool made by a user to make 1 million request in a second or something like this in asp.net ?
note : I cannot put a captcha or something like this on this because the user is not entering any data
I guess most pages do this via a cookie or they store the IP adress of the requester. The agent can be faked and there a quite a lot of tools around that do this.
hth
Mario
If a cookie is out of the question then i would suggest time tracking on the server. I would assume you have some way of tracking the user, wehther it be cookie based or by authentication (they logged in to your site). (Without tracking the user it would be pointless counting requests).
This means that for each request from each user, you track two things:
the user ID
the time when they requested the page
When they make the request, you increment the counter. If they make another request, you check the timestamp for the previous request - if it is too soon you don't count the current request. This mechanism can be very easily modified to count requests only once every x seconds, or even to only count 1 request per day, etc. If you settle on a timespan that would represent continual requests from a normal user, you can skip counting any requests that happen before that timespan has elapsed. Alternatively you could also log those suspect requests. If you are sending data of some sort back with each request, you can send nothing back for the suspect ones.
You can check the user-agent and see if the request is coming from a web browser.
See this article for more info.