Invalidate a session on browser close in ember-simple-auth? - javascript

I'm pretty new to Ember.js and ember-simple-auth, so I hope you can help me.
I'm using ember-simple-auth in my application. What I want to do is to invalidate the session when the browser is closed or the user leaves the page. This is only supposed to happen if the user previosly logged in (thats why put it in the authenticate action).
I tried something like this:
actions: {
authenticate: function() {
var _this = this;
this._super().then(null, function(message) {
_this.set('errorMessage', message);
});
$(window).on('beforeunload',function() {
_this.get("session").invalidate();
});
}
}
The problem is that it does not work when closing the browser. Also when I change the URL (to leave the application, for example www.google.com) it transitions to "/" and does not open the desired URL.
So the question is: How do I invalidate the session when the browser closes (or when the user leaves the application).
Thanks.

I'm not sure how you would handle the case when the user leaves the application (you can probably handle some navigation event and the invalidate the session with this.get("session").invalidate();). To invalidate the session when the user closes the browser though, the best solution is to use the cookie session store and configure a sessionExpirationTime of null so that the cookies are session cookies that get deleted automatically when the browser is closed.

Related

Workaround for banking authentication redirect to prevent session loss / need for session restorage

My question is kind of a follow-up to this somewhat old post, which is why I though of asking here, instead of just asking via comment there.
My question is straightforward: I have an online platform with very tight session restrictions (samesite, httponly, short lifetimes, etc.), and while a user is logged into the platform, they may execute payments. These payments may redirect them to an intermediary foreign domain and then back to mine for authentication. Without a workaround (that I've coded and it works) for the session restorage, the session gets lost and the process breaks.
Even though I have a working workaround; I wondered if it is not possible to open the redirect page in a new tab via js (because the redirect has to work in js at the current stage anyway), confirm the payment, then, when the payment gets confirmed, close the banking tab and do the according refreshes on the platform tab. Is this possible via js ? The problem I see with the linked solution is:
btn.onclick = () => {
const win = window.open(
'http://www.stackoverflow.com',
'Secure Payment');
const timer = setInterval(() => {
if (win.closed) {
clearInterval(timer);
alert('"Secure Payment" window closed!');
}
}, 500);
}
How can I know when the client finished the authentication in the other tab, + prevent the redirect that will automatically triggered in that case, to the redirect target post-authentication that you normally provide when requesting the payment? Is there a way to track all of this in js? Because I don't see any...?

Refresh page and close browser callbacks

I am new to Angular, I am developing Angular 6 application. I have used callback which called when we refresh and close page:
#HostListener("window:beforeunload", ["$event"]) unloadHandler(event: Event) {
console.log("Processing beforeunload...");
event.returnValue = true;
}
But Now my requirement is, when we close browser then i should sign out. And i have implemented this in above code sample(Removing token from local storage).
But problem is when i refresh page this callback called and it removes token.
Is there other way to handle these two conditions using other callback??
Thanks in advance
Try Storing the token as a cookie without specifying a date,then the cookie is removed once the user quits his or her browser.So when he or she open the browser token will be no longer available and will be redirect to sign in.Hope this helps.

Logout when the user close the tab

On my Django site, I want to logout from the site automatically when I close the tab or browser. I mean when I close the site by closing the tab instead of using logout button, after entering the URL again, I want to see that the user has already logged out from the site to force the user to enter username and password again.
Is there a way to handle closing the tab in JQuery?
Thank you in advance.
Edit: onunload & onbeforeunload events cause to logout the user when also reloading the page.
Add your logout code to the on onunload event.
window.onunload = function () {
//logout code here...
}
In JQuery you can use the .unload() function. Remember that you don't have much time so you may send the Ajax request but the result may not reach the client.
Another trick is to open a small new window and handle the logout there.
window.open("logout url","log out","height=10,width=10,location=no,menubar=no,status=no,titlebar=no,toolbar=no",true);
If you want to disable closing the window (or at least warn the user), you can use this code:
window.onbeforeunload = function(event) {
//if you return anything but null, it will warn the user.
//optionally you can return a string which most browsers show to the user as the warning message.
return true;
}
Another trick is to keep pinging the client every few seconds. If no reply comes back, assume the user has closed the window, browser has crashed or there is a network issue that ended the chat session anyway. On the client side, if you don't receive this ping package, you can assume that network connection or server has a problem and you can show the logout warning (and optionally let the user login again).
You can use Javascript onunload & onbeforeunload events. In these events destroy the session cookie for Django.
Those events are also fired when you leave a site over a link or your browsers back button so be careful and think twice if this is really what you want.
I just ran into this. In your Django settings.py file, you can add the flag:
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
This will log the user out when the browser is closed. Note that the user will remain logged in if there are other tabs or windows still open (the browser must be completely closed).
window.onunload = function () {
//logout code here...
window.open("logout url","log out","height=10,width=10,location=no,menubar=no,status=no,titlebar=no,toolbar=no",true);
}
This code works.
this will open a small pop up window for the logout url.

Make cookie presistent even after browser shutdown/restart using Angular.js

I am using Angular for my project, and got into a problem with authentication. On successfull authentication user retrive a token from server, and as long user have this token he can access all the places where he need authentication (i thought its a best way to do this since i use MVC web API as backend, and i dont have sessions). Everything works fine, until i close down my browser, and start it up again $cookieStore and $cookies are empty after restart.
Does anyone have any idea how to make cookie presistent, or are there any smarter way of doing this?
Ive created a test controller with a testview where i have 2 buttons which set and load $cookie before restart it works, if i open a new window while the other one is still up its works too, but as soon i close everything down, coockies is empty.
$scope.Set = function () {
$scope.LoadedData = "test";
$cookies.myFavorite = 'oatmeal';
}
$scope.Load = function () {
var b = $cookies.myFavorite;
console.log("testasdasd" + $cookies);
$scope.LoadedData = $cookies.myFavorite;
}
There are 2 types of cookies: session cookie and persistent cookie.
Session cookie is in memory and only survives until you close the browser.
Persistent cookie will be saved into disc and will be expired based on the Expires property.
The decision to save the cookie as session or persistent is server side, not your client side javascript.
When you use .NET Forms authentication, you can use FormsAuthentication.GetAuthCookie to create a cookie, the second parameter determines if this is a session or a persistent cookie.
I know this question was already answered, but actually you CAN manage cookies persistence client side. Just $cookieStore.
Persistent cookie:
// from your controller
$cookieStore.put('auth_token', token);
// in your module
$http.defaults.headers.common.Authorization = $cookieStore.get('auth_token');
In the module, we are telling angular that we want to use this session everytime any page of our website it's loaded.
EDIT: You may be interested in HTML5 localstorage instead of cookies.

How do you deal with logging out a user with multiple tabs open when a session ends?

We want to log the user out when the session ends, so one approach is to have JavaScript redirect the user to the logout script after the time period of the session passes. If the user has multiple tabs open, however, the JavaScript can activate on a tab that isn't visible and log the user out. We can't do an AJAX call because that would reset the session time length. What's a good approach to dealing with logging out a user with multiple tabs open when the session ends?
EDIT: The session expires on the server after a time length. The JavaScript is just there to redirect the user to the logout page so that the content does not stay on the screen.
Expire the session cookie. Cookies can be set to expire at browser close or after a certain period of time. See http://en.wikipedia.org/wiki/HTTP_cookie#Expires_and_Max-Age
You have to poll the server if the user is logged in. You can do it per AJAX or WebSockets. Maybe you can automatically redirect if the cookie is expired but I don't know exactly if you can check the expiry date per JavaScript.
Why do you rely on javascript for this? Log him out on a server and then open tabs don't matter.
I've a MVC application, On successful Login I set a login Storage value in my Layout.cshtml
$(document).ready(function () {
function loginStorageChange(event) {
if(window.localStorage.getItem('loginStorage') === null) {
setTimeout(function() { location.reload(); }, 1000);
}
}
window.localStorage.setItem('loginStorage', true);
window.addEventListener('storage', loginStorageChange, false);
});
On Logout Click, I remove the loginStorage before form submit
function logoutSubmit() {
window.localStorage.removeItem('loginStorage');
$('#logoutForm').submit();
}
So when window detects that loginstorage has been changed so it reloads the page, Server indicates a logout and redirects to login page.

Categories