I have a REST based service architecture. One service is used to login users. A successful login request results in a auth_token sent back to the web client.
I would like to store the token in localStorage which is working fine in most situations. However it is possible that the user disables localStorage or the browser is in private mode (as far as I know only an issue on Safari).
My question is: Is there any concept I can use as a fallback when localStorage is not available?
Is storing the token in the window variable an option?
Any ideas are appreciated.
Checkout this link to find whether you have local storage enabled or not.
https://mathiasbynens.be/notes/localstorage-pattern
Also, for the fallback you can use cookies always. Or even if the cookies is not enabled, the only way to support is by URL param. Usually, in these cases people will show a warning message staing their Localstorage/Cookie should be enabled in order to work with their site. Hope it helps .
Alternatively, you can store in window.name which will be carried over on one browser tab; if you open the same page on anther tab it wont be available.
Related
My web site uses magic links for login, however, I have a problem on mobile (not sure about Android - haven't tried yet, but the problem exists at least on iOS): when a user receives the email say in the GMail app, the link opens in the embedded browser, meaning that cookies will not be passed to the "real" browser.
Is there a way to ensure the link in the email opens in the real system browser and therefore cookies are stored permanently?
(Essentially browser session isolation on iOS breaks a lot of things on the Internet, so surely there is a workaround?)
After some research: no, it is not possible to detect you are in an embedded browser, neither is it possible to enforce opening a link in the system one. Makes sense from security point of view.
However, I was asking the wrong question. The problem of a magic link login is solved differently: when starting a login process you can set a session cookie and create an associated DB record for it, marking it as blocked, i.e. not logged in.
At next step, when the magic link is opened in whatever browser you unblock the session in the DB. At this stage you can replace the login cookie with a real one, e.g. JWT, or continue using it as your main auth token.
If the user then returns to the real browser, you check the login cookie and act accordingly, keeping in mind that it may not be the browser where they validated the magic link. At this stage you can, again, replace the login cookie with your real auth cookie knowing that the session has been validated already.
I'm not entirely sure this is 100% safe, need to think about it more but at first glance it does look safe and seems to be pretty much the only way of handling magic links on mobile.
I am developing a extension for chrome. I have a site that has a list of affiliate sites. When a user access a site that is affiliate with my site i want that extension checks if chrome is already logged in my site and perform different actions if It is logged or not. How can i do?
Every site handles user states differently. Most likely you need to evaluate the cookie or the DOM of the site. Every web application I've written uses encrypted cookies, many other sites do the same, so evaluating the DOM is most likely more fruitful. There cannot be a generic answer.
The browser (any browser, not just Chrome) doesn't know about any "logged in" status for any site. Instead the browser maintains a list of cookies for particular sites that the user has visited (and accepted cookies for). One of the cookies for a particular site may mean (for that specific site) that the user is known under some specified identity, that may even be anonymous. Each site defines it's own set of cookies.
However, you are talking about "affiliate sites", meaning there is some relation between them and you. You might be able to require a specific cookie (readable from your plugin) that signals this status.
I have a website that depends completely on sessions and I store them in cookies.
So it is necessary that cookies of browser is enabled.
Now I was able to check if cookies are enabled in the browser using java-script like this:
if (!navigator.cookieEnabled)
{
//Display an warning message asking users to enable the cookies.
}
But what if user doesn't have knowledge where to find an option to enable cookies in browser.
So I would like to provide a button inside warning message to enable cookies of browser using java-script on button click.
Does browsers give this kind of write functionality to java-script?
No, you can't enable this using javascript for a security reason. There are good reasons for not allowing that.
There are some other alternatives if you're willing to consider. i.e. passing session id in the url, storing a session id in the localStorage or the modern approach is to go with JWT token.
I have a web application which is used by lots of non-technical users. I have found that several of these users are saving the login page of the application to their desktops (which also saves the associated CSS and JS files). Then, to start using the application, they double click on that desktop icon which shows the local copy using the file:// protocol.
This can cause problems later on, e.g. if I change the login form, or the URL it posts to, etc. Also, certain javascript utilities, e.g. PIE.htc don't work using the file:// protocol.
Obviously what they should be doing is saving a browser bookmark/favorite, I'm looking for a way of detecting and warning those users without confusing the rest. I have been using some javascript to warn these users:
if (top.location.protocol == 'file:') {
alert('This application is not designed to be accessed from a desktop copy...')
}
But this will only warn users that have saved the desktop copy since I have added this piece of javascript.
Has anyone else had this problem and come up with clever solutions that they'd like to share?
Thanks
Update:
In the end I decided to do this by setting a cookie with a nonce value upon login page request, and storing the same value as a hidden field in the form. Then, in the form submit handler, check that the two are the same and show an error message if not. One could store the nonce in a session instead of a cookie, but I don't want to create unnecessary sessions.
If the user has saved the login page locally, they will likely have different nonce values in the saved form compared to the cookie (if they have a cookie at all).
Normally one wouldn't add CSRF protection (that's sort of what this is) to a login form, but it fulfills my requirements. I read about this technique on The Register, http://www.theregister.co.uk/2009/10/02/google_web_attack_protection/, Google implemented similar protection for their login forms, to protect against forging of login requests, http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests.
I think your best bet is going to be educating the users to use bookmarks instead of saving physical files.
Other than that, there's probably a way to create a shortcut to your URL instead, perhaps during logon?
Maybe cookies? If site is running with file:\\ there probably are not any cookies within request. (Of course, now you should add some cookie (session data) on your login page.
Also, read about CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery and preventing method.
You could probably check the http referrer on the server side and warn users not coming from your hosted login form.
Edit:
Actually, a vaguely similar question has been asked before and got a good explanation why referrer is not an ideal solution and also provides an alternative solution: How to check if a request if coming from the same server or different server?
Why, don't you, instead of the alert, put a redirect to your page?
window.location = 'http://www.yourdomain.com'
Or you can also force a reload with window.location.reload();
Instead of message you may redirect your user to the real page which has login form, or show the help box that will explain that user should save page in such way.
You could set a session variable that is set as a hidden variable in the form. If that is not there, you redirect to your login form.
I'm having a problem with cookies. If the browser has cookies disabled, the cookie gets rejected. Is there a way to enable cookies on the client's browser that is compatible with Internet Explorer, Firefox, Opera and Chrome?
If a user has chosen to disable cookies, who are you to override that choice?
The best thing to do is notify the user that they need to enable cookies for your script/site to work and provide a link to some instructions on how to do so.
Or find a different way to achieve what you are trying to do
I'm not aware of one and would be suprised if there was one - people turn cookies off for (among other things) security reasons, so allowing the site to re-enable them would be a security issue.
What you could do is to write some logic into your app to check for cookies:
First
set a cookie called 'test';
redirect the user to http://wherevertheywere?cookiecheck=1
Then, include logic like this:
if the querystring contains cookiecheck=1:
if the 'test' cooke is set
cookies are working - do whatever you need to do.
else
redirect the user to a special page on your site explaining that they need to enable cookies to use the site. This can include browser detection to give them relevant instructions,
If that would be possible, it’d be a security flaw. So no, it is not possible.
If cookies are not enabled or supported by the browser, you should have your software use an alternative way of maintaining sessions from page-to-page. You may have to include a session key as a URL parameter. Just make sure you have aggressive session key validation. Depending on your language and environment, there may already be facilities for doing this that won't add a lot of development overhead (PHP $_SESSION, for one).
I think there isn't a way to do this.
Hope there isn't a way to do that, too.
If user disabled cookie there is a reason to do this and re-enabling them should be filed as a security flaw
It is probably possible, but there are so many browsers in so many versions that you'd be hard pressed to cover a reasonable number of scenarios.
Further, if the user has disabled cookies, turning them on for the user and using them would be criminal interference with their computer.
Thought this could help anyone, on some browsers you can check if cookie is enabled using :
if(navigator.cookieEnabled)