I was asked to address "Simultaneous Session Logons" problem in AEM (https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Simultaneous_Session_Logons).
I'm looking for a ready solution in OAK for preventing a user account being logged multiple times at once.
I found, that user token are created under "/home/users/c/[user_hash]/.tokens" path, so I was thinking about making a listener that would remove old token if new is created, but I cannot believe that OAK isn't allowing to set up this in some simple way.
I've checked Oak's website but couldn't find anything on that topic. Also searching on google is not helping.
If you have any idea if this can be done in another way than with the mentioned listener, then please share it with me. If you think, that this shouldn't be done, because of some Oak's mechanisms that I might be not aware of, then please warn me.
Related
This is not exactly a programming related question but it is closely related to developing so I think it is pertinent.
I´ve been charged in my work with developing an app with access to Facebook Messenger. I needed a Facebook Account and I didn´t want to use a personal one (and I don´t use Facebook anyway) so I created a new gmail account to use it to sign up in Facebook, as user and as a developer.
After a couple of days of work, having created the page, my webhook, done some tests, etc., and investing a good deal of work hours, my account appeared as disabled.
I have to admit a didn´t use much of real info on this account (I´m kind of allergic to disclosing personal information unless mandatory), and the account was new so I thought that maybe that was the reason (they don´t give you any).
So I tried again a second time with an account I had been using for years (just for logging in some sites, not much of real information there neither, as I say I don´t really use Facebook), and after a couple of days, same results, locked account.
I can´t stress enough I don´t use the API extensively, I just send some messages to another user I have added as one of the application developers so I can test (that other account is never blocked, by the way). It´s not like I am sending hundreds of messages or anything like it. And by the way, I have never been blocked while I was doing something (so I could indentify my wrongdoing). It just happened that at some point when I was going back to work (first hour in the morning, or after lunch for example) I tried to log in again and then I got the warning.
So I have tried a third time, this time I have given all my real information, reluctantly uploaded a personal picture, given all my data to Facebook (yikes!).
And after a couple of days: damn, same result. Blocked account. Work lost. They prompt you to upload a picture to check your Id, but to no avail (no answer yet, not even a notice of any kind) and they don´t give you absolutely any reason why the have blocked you.
And if I go to https://facebook.com/help/contact/260749603972907 to fill the form where they ask you to upload an ID then it says that the email doesn´t belong to a disabled account!
What is the unusual activity they have detected? What have I done wrong? Has someone experienced the same problem? Has someone got any clue of what it is that I could be doing wrong?
Because I don´t want to go through the whole process once again only to get blocked in a couple of days.
Thanks.
EDIT 1:
Ok, after checking again now it recognizes the account as a disabled one. I have gone to https://facebook.com/help/contact/260749603972907 to fill the form and I have uploaded my ID (even though I completely disagree with disclosing that kind of information).
Honestly, I don´t know what it means by "shortly". It´s been two days now and I have not received any kind of notification yet.
By the way, I haven´t received any kind of notification (mail, sms, anything) during any step of the process EVER. No one. Nothing. Not even an automatic email response. Plain absolute silence.
Honestly, if Facebook uses a security system like this, that lets hackers in while blocks legitimate users, creating false positives and making us lose many hours of work, without any reason or notification or explanation, then Facebook security is plain wrecked.
And I cannot do anything less than to strongly discourage any developer to use it if they can avoid it (what unfortunately I can´t).
EDIT 2:
After some days I regained access to my account again. Without any notification, I just tried again and now it worked (really good communication policy, Facebook, congratulations).
My App had disappeared, so I had to go through the whole process again. And after sending ONE message to the API, this again:
And once again the asked me to upload a picture of myself (I think they already have enough pictures of me to make an album).
This is just plain crazy.
I apologize in advance for my bad english.
I've created simple training service in golang, which supports login and registration system with MongoDB. This service allows you to scrape rooms for rent in London in specified location if you loggedin. So, now I want to implement notifications for loggedin user's about new rooms in user's marked location. My first idea was to make some background process, which will scrape rooms every 30 seconds, save the results (in mongo, in cookies or somewhere else, advise me please), match new scrape results with previous and save differences (new rooms) in DB for future posting to user in some form (email or list on html page).
1) Is my idea about notifications generally correct? If not, please describe me better way to do this or point to some relating examples.
2) What is the best way to make that background process in go?
3) This would be great if you'd point me on some examples relating to the case.
The demo of service on Heroku
Github repo
I appreciate your concern.
We have a requirement in our project like we want to hide some workflows in siteadmin. We are using AEM 6.1. Please let us know if anybody has any solution. any help is highly appreciated.
Thanks,
Tushar
Using User Permissions
This can be controlled by user permissions. The permissions can be updated in useradmin console to remove read permission from the workflow models you want not be shown to user. Permissions can be managed via groups
Please note that there are 2 workflow models for Schedule Activation/Deactivation, the read access is required for these in case you want user to be able to use "Activate/Deactivate Later" OOTB functionality in siteadmin/damadmin console. These 2 are anyways not shown in workflow list while initiating workflow from siteadmin/damadmin console, but we should take care while removing read permissions.
This solution is verified.
Using Model changes
Model can updated to make it as system workflow refer Adobe Forum Link. Verify this one with Day Care to see if there is a side effect.
When Oct 1 rolls around, I want to make sure my games are covered. So in that light, I have a couple of questions.
I understand I need to offer SSL version, which is done, but does that mean that the http version is going away? or will it just mean that all apps will require both versions, rather than being able to leave one blank?
With the dashboard increment calls going away, what prompts the system to add a [1] next to the app in the sidebar when the player has something they need to do? unless the app has some way of telling the facebook server that a user has some task they need to perform, how is that going to increment?
with the new "manage_notifications" permission, does this imply that after a long haitus, apps will once again be able to post messages to a users notification drop down? which would be great and would make the previous dashboard question void.
thanks for your help!
The SSL version is required for your users who have secure browsing enabled in their security settings. Without an https version your app is not accessible to users who opt for secure browsing.
The [1] that you see next to the apps is the number of pending requests sent using the request Dialog.
For more details...https://developers.facebook.com/docs/reference/dialogs/requests/
I hope this is allowed but I have a number of questions regarding Facebook Connect, I'm quite unsure on how I should approach implementing it.
I am working on a live music type service and currently have user registration, etc. If I were to implement Facebook Connect alongside this, would I still be able to email the Facebook Connect users as if they were on my database?
Also, would it instead be possible to let users who have Facebook "link" their accounts once registered so I am able to give them the benefits of sharing via Facebook and inviting friends while still having an actual registered user on my system.
I have tried to read up answers to the above questions but what I've found is quite ambiguous.
Thanks, look forward to your views.
Facebook's documentation process is very poor, so don't feel bad about having a hard time getting started. Their wiki-style approach to documentation without any real official documents tends to leave the "process flow" tough to grasp, and requires piecing together parts of a bunch of randomly scattered docs.
Facebook has an obligation to protect privacy, so they never make a user's actual email address available to application developers, through Connect or normal applications. They do have a proxied email system in place that you can use, however, you must get explicit permission from a user in order to email them. There's a decent document on proxied email here. You can get permission by prompting for it; there's several methods for doing so linked in that document.
In regards to linking Facebook and local accounts, this would definitely be the way to go. Once a Connect user logs in, you want to store that fact for that user so you can provide the Facebook-specific functionality. I would simply create a normal user account in the database for every new Connect user that came by, with it's own local id, so that you don't have to do special handling of two different types of user accounts all over the site. That being said, the account would obviously have to be marked as a Facebook user's account (I use an externalId column in my users table), and any part of the site that relied on information you might otherwise have locally would have to handle the Facebook aspect properly (such as using proxied email instead of normal email).
For existing users, you could arrange an "account link" by having a process whereby they log into FB Connect after they've logged into the site already, and you could detect that and simply add their FB id to your users table. After that, they could log in through Connect in the future, or through your normal process. I've never done this, but it should be possible.
If you write the account handling code generically enough, your site will be able to function well no matter what kind of user you throw at it.