User's can log in from any page.
I'd like to have the form redirect to the current page the user is on and clear the POST data so they can refresh without problems.
I can't seem to figure out how to do it, or find how to do it, without using an external library or middleware.
Any help would be appreciated!
EDIT:
There is a login form that appears in the top of every page. The user may enter their credentials and the form's action leads to itself.
The server checks to see if a user is logging in, and if the correct POST variables are set, it sets the required various session variables.
I'm wondering how I can redirect the user to the page on which they used the login form.
Since you don't want to use a framework like Express, I think you're either going to have to implement some form of session management yourself (to keep track of where the user came from), or use the Referer HTTP header (which might not always be sent, though) to redirect them back once they are authenticated.
Of course, you're going to generate those redirects yourself:
res.writeHead(303, { Location : req.headers.referer });
res.end();
Or, if you're not using a separate URI that the credentials are posted to (like /login), but just want to 'reload' the current page, you can use this:
res.writeHead(303, { Location : req.url });
res.end();
Related
I am working on the logout part of my website and I am using JWT for authentication and using cookies to send the JWT for client side.
For logging out I am passing some dummy token value with the same token name so that it over rides the previous token. But when I log out of the portal, I am still able to access my dashboard. There is some glitch in the logout functionality. I guess it is due to the browser cache.
I have few questions regarding Express.
Are there any ways to reload the current page using Express and delete the browser cache while doing so?
I need to disable the browser forward option of chrome once the user is logged out, how can I achieve this using express?
How to redirect the user to his dashboard when he tries to hit '/login' or '/signup' route when he is already logged in? I am using the JWT authentication for login
Thanks in advance
Are there any ways to reload the current page using Express and delete the browser cache while doing so?
The server can't, on its own, tell the browser what to do. The browser has to initiate communications and then act on that communications.
You could have the web page in the browser reload its own page using Javascript with window.location.reload(true) at any time. If you want the web page Javascript to be told when to do this by the server, it could either send regular Ajax calls to the server and, based on the response, decide when to reload the page. Or, it could have a webSocket connection to the server and the server could send the web page some data that, when the web page received that data, it would see that it should reload its page.
We could help you better if you told us what the real problem was here. Web pages can use Javascript and/or webSocket connections to dynamically update themselves rather than just reload all the time. That's a more modern design.
I need to disable the browser forward option of chrome once the user is logged out, how can I achieve this using express?
There's a discussion of disabling the forward button here: HTML5 history disabling forward button. You will probably find this is a brute force approach (it involves getting rid of browser history) and there is likely a much better way to solve whatever real problem you're trying to solve. It also sounds like you may also want to manage browser cache expiration too.
How to redirect the user to his dashboard when he tries to hit '/login' or '/signup' route when he is already logged in? I am using the JWT authentication for login
When you detect a request to '/login' or '/signup' in Express from a user who is already logged in, you just respond with a res.redirect("/dashboard") from your server. FYI, there are lots of questions about whether this is the proper user experience. A user going to '/login' or '/signup' when they are already signed in could have any one of these use cases:
They don't realize they are already signed in or they don't know if they are signed in as the desired user.
They want to sign in as a different user.
They want to create a new account (different from what is currently logged in).
They are trying to figure out how to log out.
You should make sure that blind redirecting (and not taking the user to the page they asked to go to) still makes all these use cases entirely clear. If not, you will just frustrate the user by not taking them where they asked to go.
A user logs into my site through oauth via the url
http://provemath.org/index?method=google&state=KasQzeMyWQj3YTvF4aZGi9smLUMwXa&code=4/OAeBwzZLSqoHtwBgEHojEQ1_FFO7TK03j5UUyF2Bdng#
I don't really like the messiness of the parameters in the URL, and currently it causes an issue when they reload. So what I'd like to do is redirect them to provemath.org in order to get those parameters out of the URL, but pass those same variables along some other way.
Is it possible to do a redirect (something like self.redirect('http://provemath.org', self.request.uri)) and pass in some variables not through the URL?
It doesn't look like the possibility is built-in:
http://www.tornadoweb.org/en/stable/_modules/tornado/web.html#RequestHandler.redirect
It's not a part of the redirect itself, but you can pass this kind of information around with cookies (and this is the usual way of handling an oauth redirect). Typically with oauth you would configure your oauth callback URL to be something like provemath.org/oauth (not provemath.org/index), and then in your /oauth handler you'd process the parameters and set a cookie. If you're using tornado.auth.GoogleOAuth2Mixin this would look like
user = yield self.get_authenticated_user(
redirect_uri='http://provemath.org/oauth',
code=self.get_argument('code'))
self.set_secure_cookie("user", json.dumps(user))
self.redirect("/")
(or save user to a database and just put a user id in the cookie)
How would one solve this?
An application has a form with a password and other input fields. The user must enter their password in order to submit a transaction along with other transaction info. The password is required as a security check at point of transaction submission.
The form input values are bound to a command object.
This was the way our application was handling this:
void submitAction(FooCommand command){
if(command.hasErrors()){
render(view: ‘show’, model: [command:command])
}
//else do save and redirect
}
We became aware that by using render instead of redirect, the user’s password was visible in the browser cache after user logs out. The URL used in the render is the same as the POST URL. After the user logs out, someone else could use the browser back button and resubmit the form while using a tool like firebug to inspect the POST parameters and gain access to the user's password.
There is also a requirement to persist the user’s input from the form back to the page that displays the validation errors. So a simple redirect with error message in the flash would fail this requirement.
The proposed solution is to use the chain method to put the
command object into the flash scope so a redirect is possible to display errors and user input. This prevents someone from accessing the POST URL, and thus the password, in browser tools.
void submitAction(FooCommand command){
if(command.hasErrors()){
chain(action: ‘show’, model: [command:command])//redirect instead of render
}
//else do save and redirect
}
One potential downside is storing command objects in the flash scope (ultimately the session) that might have eagerly fetched relationships in the command. Could storing command objects in the session affect performance?
Is there a better solution?
To prevent showing a page after logout when someone hits the back button, use the following response header:
Cache-Control: no-store, must-revalidate
Chain sounds like the way to go. You don't need to use Hibernate/JPA entities for your models, you could make a class specific to the form and copy to your entities. This might take less memory, though you're not likely to store it for too long using a flash map.
We're using JSF in a very simple way. All we're doing is implementing tags that contain a little Java code.
I have implemented a "security" tag that sends a 302 redirect back to the login page whenever the user isn't logged in:
// make them log in
ctx.getExternalContext().redirect("login.xhtml");
ctx.responseComplete();
The trouble is that the redirect() method doesn't stop the rest of the page being rendered. Tags that are further down the page are getting executed. This is a problem because non-logged-in users could see things they shouldn't if they had their browser ignore redirects.
How do I get responseComplete() to do what I thought it was supposed to do?
Its always better to implement the login related logic in a servlet filter, like below:
Implement a filter for the URL patterns that you want to secure
In the filter, check if the user is logged in (may be by just checking if Username/UserId is present in user session)
If the user is not logged in, redirect the user to a HTML based login page.
If the user is logged in, let the user access the resources.
There are a lot of ways (may be better than this) to implement this, but this is the most basic one.
Maybe you could use a flag to verify if the user is logged in.
Then, you can use the render=#{managedBean.logged} property in the tags you don't want to render.
This is just a workaround... can't really help too much with that amount of information you gave.
Try it!
ctx.getExternalContext().dispatch("login.xhtml");
ctx.responseComplete();
So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to
www.domain.com/member/change/member_id
member changed the values and post the data to another page by changing the action with firebug or something else. For instance
www.domain.com/member/change/member_id_2
How do you handle this problem without using sessions?
This problem arises when there are no server side validations!
So, the solution is to have server side validations.
Why not use Session state? It's designed for that.
Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.
How do you handle members without session?
Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.
You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.