I have a login button that opens a new window to a third-party login page. If i. Logged in first time, any time i refresh the page or open the website in a new tab when i click on the button it redirects me to the cached login response data, and i have to clear both my website and the login website cookies completely(website+external ones(google cookies.. etc))..
So is there is a way to force clearing all website data from javascript? Or any way to avoid this caching issue?
I have already tried to delete document.cookie but it only delete only the domain cookie not the external ones.
Generally, an app with a third party authentication flow is like from your app, you check the credentials in your cookie to see whether they are valid.
If they are not valid or do not exist, open the third party authentication dialog then login. After a successful login, mostly, the 3rd party auth should saved something in the cookie with its domain. And you also need to save something about credentials in the cookie.
If there are valid credentials in your cookie, then you are simply authorised and the credentials in the cookie should be good to use.
Back to your 2 questions, So is there is a way to force clearing all website data from javascript? Or any way to avoid this caching issue?
Why do you need to clear those data for the sake of authentication?
For the second question, I think I answered it already with the general introduction.
Related
I'm trying to implement MSAL in a client side library, which works pretty well so far.
Now for my next steps I'm trying to add SSO by following the documentation at https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-js-sso#automatically-select-account-on-azure-ad
In this documentation it is pointed out that I can add the sid claim to the auth requests, and reuse that sid in my second tab when logging in.
Now my main question is: what is the process to access the sid retrieved in tab A, and then re-use it in tab B?
I'll summarize for anyone else that is running into this sort of situation. The traditional way to store login tokens is in a cookie. This works fine for most scenarios- if the user tries to login to a different site on the same domain, the cookie is picked up. If they are signing in to a different domain, they will still need to visit the login page, but instead of entering their credentials they will simply be issued a new cookie for the new domain.
The question posed is for a special case when attempting to obtain a cookie on one tab, then using it on another tab without refreshing the page in the second tab. In this case, the token must be stored in local storage in order to be accessible to the code in the second tab immediately.
I am new to web development and I am trying to implement log in functionality. I have successfully implemented the log in functionality. When I open www.bla.com/login I am able to log in post which gets redirected to the homepage.
Problem: If open another tab and type: www.bla.com/login it again opens login page. Ideally if I am logged into one of the tab, I should be redirected to homepage irrespective the url being pointed to login page.
P.S: I am not sure what chunk of code I need to share here because I am not sure what causes this issue. Please help or let me know if I need to post my code base. I am using JavaScript and backbone as front end.
EDIT
I have a REST Service which gets hit when I login and REST service gives me back a User Specific Token. I use this user specific token to again call another Rest Service to fetch more user specific data.
So, basically I need to put a check on this token received. The token received I have stored in browser session. But when I go to another tab and try to access that token its NULL. So I am assuming every tab in browser does not share the session storage. If Yes, then where shall I place this Token so that if someone hits the login page I should check whether a token already exists. if exists then redirect to home page. Kindly guide.
It is hard to say without seeing your code, so let me make an educated guess:
Most likely you do not create cookie with some sessionId after user is successfully logged in.
This cookie would be then used in every request sent to the server, to prove that user is indeed authenticated.
When you open a new tab and there is no cookie/session created, than this new instance of application has no knowledge of the other instance, where user is already logged in.
You may want to look at this answer
EDIT
Maybe you are using sessionStorage instead of cookies. At least I would say so, when I read about behaviour of your app.
See the docs for session storage
The sessionStorage property allows you to access a session Storage
object. sessionStorage is similar to Window.localStorage, the only
difference is while data stored in localStorage has no expiration set,
data stored in sessionStorage gets cleared when the page session ends.
A page session lasts for as long as the browser is open and survives
over page reloads and restores. Opening a page in a new tab or window
will cause a new session to be initiated, which differs from how
session cookies work.
So make sure that you application store the token either in cookies or in localStorage. And also that it correctly reads from them. Maybe the cookies is created, but never read?
I have a blog that requires users to login to view the content. But my page checks for a cookie, if cookie exists then it shows the content (to avoid users having to login repeatedly).
I want to send out an email to my subscribers with links to new posts. Is it possible for me to create a cookie when they open the email or click the link and then recognize that cookie on my website to prevent the requirement of them needing to login?
No.
Most email clients capable of rendering HTML will not, by default, load any remote content or run scripts. And using a JavaScript cookie for authentication is inherently insecure anyway.
Give the a link to click on in the email with a one-time-password and set a http-only, secure cookie from the page the URL links to.
I'm trying to remove the user's authentication cookie by using $cookieStore.remove('.ASPXAUTH'), but if I refresh the page afterwards, the cookie still exists and the page is still available instead of the user being redirected to the login page as I would expect.
Why is the user still able to view the page after I delete the authentication cookie and refresh the page?
I'm afraid that there isn't much you can do to a http-only cookie with javascript. The backend has to remove it if it's http-only. you can trigger a logout by using ajax.
$http.get("/logout");
The other option is to use non http cookie so you can modify it with javascript. But that would make it vulnerable and unsafe for risk of an XSS flaw grabbing your cookie and allowing your session to be hijacked.
PS: try HEAD request method if you don't want to load the page that follows (might work like an "do-and-forget-about-it")
$http.head("/logout");
I want to implement a logout function. When a user clicks Logout, I want to end their session and redirect to another page. Sadly, I am limited to only JavaScript.
EDIT:
Moving this over to Zendesk because it seems like they have a Remote Authentication API.
Thank you to all the people who answered.
Assuming your login session state is stored in a cookie that isn't httpOnly, you can simply delete the login cookie by setting its expiry date to a the past. For example, using this cookie library:
$.cookie('login_cookie_name', null);
Then you can just do a location.assign('/logged_out_page.html'); to redirect to another page.
It depends on what server technology you're using.
Let's say there's a logout.aspx page. You could just do an AJAX request to that page to zap the session, or delete a cookie that the application might be using to cache authentication, then redirect like so:
window.location = "http://www.mysite.com/logout.aspx";
UPDATE
I just found this post on SO that should help (that wasn't easy):
https://stackoverflow.com/questions/3237476/zendesk-remote-auth-using-java