suppose user is accessing account at the same time admin delete his account then what should happen at front end? can user access his account or redirect to login page??
same if admin inactivated user what should be happen there??
for web site
Depends entirely how you set it up. If you want it to automatically log him out you'd have to manually delete the session after you delete the user from the database.
Solution
if user deleted
logout and redirect user to one page and informed that account is deleted. inform to contact administrator
if user inactive
logout and redirect user to the login page or on some other page of the system and inform that his/her account is inactive. inform to contact administrator
You should be checking user session before any action performed by the user (I simply use the information in session to log them in 'again' and return relevant information back to the session, which makes it also easy to keep track of any account changes the user may have made), thus after admin deletes the account, once user attempts to do anything with is account, the login function/method, or whatever mechanism you use, should return false and set the session accordingly
Related
A strange situation that I am unable to find other people having to deal with. We are using Microsoft AspNetCore.Identity to handle our authentication. Everything is working fine.
The problem is that for a user to perform certain actions, they MUST get another user to 'sign' that action. This act of signing of course requires that other user to use their user name and password to sign the action.
The issue with this is that the other user's details are readily visible in the request payload. So if I am sneaky, I can open the developer tools in my browser (and hide it), then ask my admin to come and sign my action, and when they have gone i can go to the network tab and see their username and login in plain text!
Of course this is all over https but still, we can't allow one user to see another's sensitive information.
How are we to manage to allow a second userB to 'sign' an action for userA while in user A's active session, while removing the capacity for userA to steal userB's credentials??? Any ideas? (Front end is angular.js)
I imagine it's a big rework, but instead of having the "admin" sign the request on the user's machine, the admin could receive a "user A requires this action to be signed, proceed? [ok] [cancel]" on their account, the action would be stored in the database (perhaps temporarily?) & then all of the sensitive information is kept within each user's session with no cross over.
Then the authentication of who is permitted to approve actions can be handled in the backend via standard identity methods.
The user's "Please wait while an admin signs this action" modal (assumption) could then poll an API to determine the status of the action and then proceed once accepted.
I second #justcompile's answer if you need an authorised and authenticated user to sign/confirm the action, more work but the only secure way.
If you just need a second pair of eyes to confirm you could message a private group or slack channel that only "authorised" people have access to with a one-time URL containing a token (that maybe expires after a period of time too).
Assuming admins only access that channel they can follow the link, the app can validate the token and confirm the action.
Saves a second (admin) user logging in on their own machine and the need to build a workflow and UI etc, but again exposes you to risk if nefarious types get access to the channel or the links sent to it.
Depends on your appetite for risk I guess.
another user performs signing action on your local system? and you are sly?
there is no way to protect their password.
use two factor authentication.
The way this would normally be handled is for the user to request an action. This (unsigned) action-request is recorded in the database. The admin user is able to see this unsigned request in their account, and make an (authenticated) request to sign it. The user would be able to see the status of their request, and whether it has been signed yet.
I have one user who is logged in, at the same time ADMIN deactivate him.
As he is logged in so he can access APIs so how can i prevent him ,i am using jwt
You can get the user id from the JWT. Then, when doing an operation in the API, check if the user is banned. If the user is banned, send a response back saying the user is banned. So, he will be 'deactivated'.
https://github.com/esl/MongooseIM/issues/2235
As per the link above, there is no current way to ban/deactivate a user in the JWT Auth backend. However, if you were to delete the user, their user ID and token combination would cause for the same effect you are looking for: restricting their access to data.
In this case, I would delete the user instead of 'deactivating' them.
I am researching about Salesforce. I am read the session Control Access to Organization. I have not understand the difference between Deactivating or Freezing a User in Salesforce clearly. Anyone can help me?
In some cases, you can’t immediately deactivate an account, such as when a user is selected in a custom hierarchy field. To prevent users from logging in to your organization while you perform the steps to deactivate them, you can freeze user accounts.
If you freeze a user account, it gives you the opportunity to move the associated records, etc. to the ownership of someone else so they would be able to manage those accounts. "Freezing" only stops the user from being able to login. When you "deactivate," it frees up that salesforce license to be given to another user.
*The difference is:
Deactivate means that you dont allow that user login in your org and it frees up that salesforce license to be given to another user.
Freez just dont allow that user login in your org
You can watch this video for more detail about the difference between Deactivating or Freezing a User in Salesforce: https://www.youtube.com/watch?v=HYPB3oq_94Q
I am storing all the session id's in a variable with the username and system ip, I am using this data for only one login for username. Now I have two problems where sometimes the new session in the browser is generated automatically without user action or if user removes the cookie related to my server. So the user is with the new session, I need to remove the username, system ip and session id from my list.
Since the user didn't do anything explicit on your site you can't know the difference between "lost the cookie" and "haven't been to the site for a while". The best you can do with a scheme like this is to just expire sessions that haven't been active for a week, a month or a year or whatever is appropriate.
You should consider to use an encrypted/hashed cookie with the user id of the logged in user instead of a session if you want to allow users to stay logged in "forever" without taking resources on the server.
Problem assumptions/conditions:
There exists a user with email foo#bar.com (unverified) in the system.
Visitor is not signed into the system (no current session, e.g. new browser).
Visitor signup/login using Google Account, through OAuth (user authorizes).
The system receives callback with uid and the email foo#bar.com [verified by Google].
I see three options here:
A. Sign in the visitor to the existing account with email foo#bar.com. This have some security implications.
B. Ask for a password [assuming there is a password in the system, this may not be the case with multiple OAuth providers] and sign them into existing account if it's valid.
C. Reject the login/signup, say email is already used, encourage user to login before connecting with Google.
What are the security risks with option #A?
What I've come up with myself:
'Anticipation attacks' could be performed, where an attacker anticipates a signup and creates an account on the system before the target does. After the target has signed up using OAuth he will have an active session on that account. Would be defeated by clearing all sessions on the account before doing #A.
When the user logged in through OAuth in Google, you can be sure that the email address you get back from Google really belongs to that user. So the thing you seem to worry about is that the user already known on your system by that email address does not own that email address. That should have been caught by the time he signed up, with an email conversation. But if it isn't, you might want to reset the password and send an email to the genuine user that you did so, and for what reasons. You may also want to log the user out if he is currently logged in. The user can still access his data, but only through his OAuth login session, or by responding to the email. The email should state that it is a precaution, as there is no way to find out if it really is the same person.
An "accidental attack" can happen too:
In step 1, the user who signed up with address foo#bar.com, in fact intended to type fuu#bar.com, but typed a typo: foo instead of fuu.
Now, the Google user signs up with Oauth and foo#bar.com, and in this way hijacks the account of the step-1 user. Accidentally :-) because of a typo made by the step-1 user.
So, either the step-1 user can anticipate-attack the Google user, or the Google user can accidentally-attack the step-1 user. (I cannot think of any other attacks at least not right now.)