Moodle (v3.7.1) User has logged in and opened his profile page (user/profile.php?id=5560) and logged out. Now, if any one else opens this profile page url in that same chrome browser, it loads and discloses all profile details even though the owner has logged out. even on page reload. it must be loading from browser cache.
cache-control: private, pre-check=0, post-check=0, max-age=0, no-transform
Can you please advice exactly which file or config has to be changed so that any similar authenticate pages are not cached? thank you
As far as I know the pages are not cached. So it will always check the current logged-in user capabilities when calling the profile.php page.
Do you have made some customizations to Moodle core?
Maybe it would be a better approach to try to reproduce this error on a clean Moodle 3.7.1 installation. If it exists than you should create a Moodle tracker issue. But I don't think that the error is due to a Moodle core bug.
Greets
Adrian
Check your site security settings.
Go to Site administration > Security > Site security settings
and make sure the following settings are checked:
Force users to log in for profiles
Force users to log in to view user pictures
Related
Using Visual Studio 2013 Update 5, I have created a boilerplate MVC 5 application with Individual User Accounts auth option selected, and I have been trying to implement social logins using the template code, but have been unsuccessful.
I have ensured all NuGet packages are up to date, and the code is using MVC 5.2.3; Owin 3.0.1; AspNet.Identity 2.0.0.
I can get everything working fine, including authenticator apps using OtpSharp, but the Facebook login is just not working whatever I try.
I have created the Facebook App, set all the relevant options on that and set the AppId and AppSecret in my Startup.Auth.cs file.
When I try to login with Facebook, the MVC site redirects me to Facebook, which prompts me with the auth screen for the app. I click OK and accept this then I am redirected back to the MVC app. If I check the authorised apps under my Facebook account, my app is listed and shows that it has granted permission to the app to retrieve email address.
The callback works fine but when it hits ExternalLoginCallback and in particular:
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync()
loginInfo always returns null.
Looking at the Request it shows an error of access_denied:
https://localhost:44301/Account/ExternalLoginCallback?ReturnUrl=%2Fmanage&error=access_denied
I have read pretty much every blog post and SO question on this error and whilst most of them are helpful, most are also out of date and not relevant.
It would seem that something is missing from the templated project, or something has changed elsewhere as no matter which tutorial I read, and options I set, the result is the same.
I have tried this internally on a dev machine running IIS Express and externally on a hosted machine running IIS 7.5 too and the results are the same.
I've even decompiled the Microsoft.Owin.Security.Facebook library to see where that particular section of the querystring is set to no help.
If I had any hair I'd have pulled it all out by now.
I'll take any suggestions. Can anyone help?
Facebook loves to make things difficult. Access_denied sounds like they are blocking you on purpose. Check your developer dashboard and the accounts authorized to test your app while its in development mode. The email permission is approved by default, so that isn't your issue.
Make sure the account you are testing with is added here:
If that doesnt solve it, make sure you have the correct app domains (testing and live) listed in the domain section here:
I had the exact same issue. No matter what I did the facebook would show the login, get permissions and then return back to the Login page instead of the Email confirmation page.
Using Fiddler Facebook would invoke "http://localhost:1234/signin-facebook&code=SOME_SECRET_CODE_HERE", and then my application's controller would invoke "http://localhost:1234/ExternalLoginCallback?error=access_denied". I was sure Facebook is refusing the access. It was only after implementing a Facebook Javascript SDK Sample, I realised I could successfully login and also view FB scopes!
My Dev environment
MVC 5 application
Visual Studio 2013 Community edition Update 5
Microsoft.OWIN v2.2.1
Microsoft.OWIN.Security.Facebook v3.0.1
Finally I found a YouTube Video by ProCoder which mentioned to put the correct path in the Valid OAuth redirect URIs as http://localhost:1234/signin-facebook and it worked. If you haven't already added, you will need to add Facebook Login product to your Facebook app.
I also set App Domain to localhost and Site URL to http://localhost:1234/
I have added 127.0.0.1 and MY.EXTERNAL.PUBLIC.IP to the Server IP Whitelist Under Security in the Advanced Settings option of the Facebook app.
All these settings I replicated in a new MVC 5 application and it worked like a charm.
update the package Owin.Security.Facebook 3.0.1 to 3.1.0
It works for me
When a user is not logged in and they navigate to a page tab made with our app, they get an obtrusive dialog asking them to log in:
This has nothing to do with http vs https, the app is not in sandbox mode, there is nothing in the tab asking for a login or user information, etc. I've gone through the app settings at least a half dozen times now, and nothing is wrong there. Aside of urls, the settings are identical to another app I have that does not suffer from this problem. I'm stumped!
Edit: here is an affected tab: https://www.facebook.com/StaticHtmlThunderpenny/app_203351739677351
This message is not about login to your app, but Facebook in general.
So my guess would be that the page your app is installed as page tab app on is restricted in some way – by age, location, or for having alcohol-related content. And then of course Facebook asks for login, because otherwise they can not determine whether or not the (as of now still “anonymous”) user qualifies to see the page.
So go check the page settings.
This is actually not app related question.
This is thumb rule!! To access any app on Facebook, you need to log in to Facebook. You can see Facebook page without log in. But for facebook apps, you should be authentic user.
with this issue in my own experience that I came across some years back with a facebook app that I was running, if this doesn't relate to any of your other social networking apps then am aligning two set of possibilities and solution.
The user might have not properly logged out as "written" in the app for the users logout stage.
Solution would be that the user logout as expected before closing the app.
The user might have set up an automatic login prompt which was removed by the app when it was been updated automatically. (If you do get me???)
Solution would be to monitise your app on updates and login informations or better still just login and logout ask intended by the app and for security reasons.
Lastly I would say that automatic bookmark database should be added to the server part so current pages as the user uses the app would be saved after logout or login stage. Thank you, hope this helps and if not let me know what am missing.
I have integrated facebook graph api is several applications but recently I have encountered a problem, while I have Secure Browsing enabled in my Facebook Profile -> Privacy Settings -> Security, and using simple FBGraphApi it passes all the steps of asking permissions and all but stucks on last step that is it doesn't get accesstoken in the redirect url set to http://www.facebook.com/connect/login_success.html where as as soon as I disable the Secure Browsing the login goes fine, and I get the accesstoken appended in the redirect uri.
The problem is Yes I am able to make it work, but it is impossible to tell all users to disable the Secure Browsing from their profile, and it won't bea good thing to do too..
Please give some thoughts on this, if any one encountered similar problem..
My problem is similar to this problem
We had the same problem with our application. A co-worker did some research and found that if you started the request process (oauth dialog in our case) using https:// instead of http:// then it would work with or without secure browsing enabled.
So
http://www.facebook.com/dialog/oauth/?response_type=token&display=page...
turned into
https://www.facebook.com/dialog/oauth/?response_type=token&display=page...
EDIT
There was also a redirect URL in the URL(s) above which he also changed to https
We just went live with a new Website that's using Sitecore. In the last couple of days, we have heard users complain that they are seeing the Sitecore login page on the live website for the links they bookmarked or just randomly. We are using a load balancer with 3 servers behind that load balancer. Also, the authoring server is behind a firewall and the authoring interface is only accessible via VPN.
Any ideas/suggestions?
Thanks
Would it be possible to have a deny permission on sitecore shell directory for your main website? This way users cannot access sitecore from your main website.
You can still have sitecore enabled on your authoring server though.
This issue has happened to me a couple of times, and I figured out that at some point you must have logged in to sitecore from that browser. Can the users try accessing your website from another browser? It should work fine.
I haven't been able to figure out why this happens though, may be because of cookies.
Like techphoria414 said, opening the site in a new browser or clearing the cookies solves the problem.
But to add more detail to this, the cookie responsible for this is:
website#sc_mode with the value "edit" or "preview".
If the users with the problem have been editing the site or using the page editor mode, this cookie gets created. Even if they log out, sometimes the cookie stays there and when they try to access the live site, Sitecore answers with a 302 (redirect) to the login page because of this cookie.
They can either delete all cookies or simply this one.
I have a Facebook app running in a Page Tab (the tab of a Facebook Page for an organization). The Page Tab URL (and Secure Page Tab URL) points to a URL on my own server which holds a PHP page that contains an iframe of a Google Calendar.
The app works perfectly fine when I open the Page using the admin account (both http and https). But when I open the Page using the user account of someone who has 'Liked' the Page, the app does not appear at all (both http and https). Any suggestions? Thank you.
Check if the app is in sandbox mode, in the Advanced section of the Settings here:
https://developers.facebook.com/apps
I believe that is the problem.
You may overlooked the "sandbox" setting that should be "disabled", this could be one explanation as per the answer above. If this have not answered to your question, than you may find another explanation here:
http://developers.facebook.com/docs/appcenter/guidelines/
Basically, if your application doesn't do anything it will probably not be approved and it will not be visible to nobody, except you - the developer. There are other issues, like copyrighted infringement and so on... please read.
(Also, just in case you are interested, it should be installed by more than 30 times, I guess different persons, in order to be "searchable").