I've had a look around but I cannot seem to find the answer. Due to the "security" team at my company, they have stated that a website we have recently built, when a user navigates away from the website, we need to destroy the session.
Currently it's using a JWT token stored in the local browsers session, so when the user closes the browser the token will be destroyed.
So I know I can hook into window.onbeforeunload but this would also happen if the user refreshes the page, I don't think that would be acceptable behaviour for a website (refresh the page and now you are logged out). And there is also the Reload Site? popup that appears.
Does anyone know a way to detect that the user is navigating away from the angular app opposed to just reloading the page?
Related
I have tried to set cookies in multiples domain that i own (for a better user experience, they will be so directly logged in on my different domains)
The cookies is secured, i know we can edit it so it's a 64 random letters key for every users.
I've tried to load cookies with this https://subinsb.com/set-same-cookie-on-different-domains/ method but apparently it didn't work because i so by inspect that google chrome (my browser) had block the request considering that as hacking.
So for now it's a button that allows the cookie to load by windows openning in javascript but the user has to close every single window when cookie are load (long and boring)
Is there any way to make my operation simple ?
Thanks for your help,
Your sincerely,
MySve
You can use window.close() to close the current window. But opening a window for every domain isnt a good solution, and cross origin cookies arent great either.
I'd recommend doing it like this:
Lets say that the user is on webpage 1, and logged in on webpage 4.
Your button should redirect you to website 2.
Website 2 should check if the user is logged in. The user is not logged in, so it redirect you to website 3.
The user is not logged in on website 3 either, so it redirects you to website 4.
The user is logged in on website 4, so it redirects you back to page 1.
Hope this helps! :D
There is one thing I don't understand about the UI Redressing attack. Basically what I understand is:
1- The user clicks on a external URL
2- The attackers webpage opens. Inside this webpage, the original webpage is loaded as an iframe in a transparent manner.
3- As the user interacts with the attackers webpage he will actually be interacting with the transparent iframe.
Here is where I am confused. Why does the user even need to interact with the loaded webpage? Once the inner iframe is loaded you can have a javascript code to automate clicks on the page. Since this is all happening on the victims browser the target site will receive the victims session cookie and assume everythings fine.
Am I missing something here? Thanks in advance
Note: Please note this is a UI Redressing attack also known as click-jacking. This is different than phishing attacks.
The user wants to interact with the loaded webpage, because the user is not aware they are visiting a fake (inauthentic) page. I'm not 100% certain about the javascript, but I'm pretty sure the attacker wants to log the user's activity (e.g, keystrokes for a password).
With media players on site we use the History API and XHR to allow navigation through the site without causing page refreshes (i.e. causing the media to stop).
This works nicely until the following scenarios:
A. The user changes the URL in the address bar.
B. The user selects a bookmarked page.
C. The user clicks on a Facebook widget that requests another page.
Is there a way to intercept the changed URL and handle it without causing a page refresh, of course we are talking about URLs to the same domain here.
Have there been changes to the window.onbeforeunload event that means we can cancel the leave and obtain the new URL without informing the user?
window.onbeforeunload has not changed. And I think that what you are trying to do is not possible, since that would allow a malicious web page to prevent a user from ever leaving a page (unless he would close the browser/tab).
For example Facebook redirects if you click on a link one of you friends shared.
Is there a safety reason that I should know about for my website? Thanks.
They are using this to track, you can also use it to track traffic - there shouldn't be any real security issues with this, its just the way Facebook directs traffic to sites.
One reason is that the user doesn't lose their place on the site just because they are going to another web page. It's a usability best practice to have any link that goes to a site other than your own, to open a new window or tab.
Security-wise, the site session on the new window is wiped when a new window is created, so if the link is malicious it cant sniff out your authentication cookies or other information.
I'm using the Telerik RadWindow control in one of my applications. When a user wants to authorize Twitter for the application the window displays the OAuth dialog for Twitter.
However, each time I display the pop-up for Twitter OAuth, or even just the plain Twitter page, the entire browser is redirected.
The control works just fine when the URL is pointed at a site other than Twitter. I'd like to see if I can block that redirect, or if perhaps there's an easier way to accomplish the OAuth confirmation. Any advice on how to implement this functionality would be greatly appreciated.
Thanks in advance.
This behavior is probably caused by Twitter. In fact, it should happen on many other sites as well (Facebook and similar). To prevent malicious sites from stealing user passwords, the login page detects if it is displayed in an inline frame (IFRAME element, such as the one used in RadWindow) and if it is, the whole browser window is redirected. This way they can ensure that no rogue JavaScript will be running while the user enters their username and password.
Twitter has properly created their authorization page to prevent cross-site scripting attacks, which means you can't embed it in a frame, or javascript pop-up.
Unfortunately, the only other way to "authorize" is a full redirect, or with a pop-up window, assuming your users allow pop-up windows.
The problem with the pop-up is that you then need a way to "close" it when twitter redirects back to your application. It can be done, but it's a bit tricky to do and who knows if it'd work in multiple browsers. Best to just let your site do a full redirect for now.