When logging out from the application, IdentityServer's "You are now logged out of the application" view gets displayed. Is there a way to prevent this from happening?
TIA
You can set EnablePostSignOutAutoRedirect option to true in AuthenticationOptions (it's set to false by default). Then, the user would be redirected back to the post_logout_redirect_uri.
More details here:
https://identityserver.github.io/Documentation/docsv2/configuration/authenticationOptions.html
Related
I'm currently troubleshooting a login issue for a deployed Moodle. Login page uses an alternate page which I have managed to identify. The alternate page considers everything except successful login as invalid or expired login or password.
Since some correct login and password are also getting the same issue.I am trying to restore the Moodle instance to use its default login page but did not find any $CFG->alternateloginurl configuration set in moodle.php. Kindly please provide any pointers you can think of on where to look next to restore the login page.
PS: I've also searched within the active theme, and there has not been any code changes. Uses a variant of Moove
Thank you
Rest assured that its a common issue
https://docs.moodle.org/401/en/Managing_authentication#Alternate_login_URL
There is an entry in the database
SELECT *
FROM mdl_config
WHERE name = 'alternateloginurl'
Note the value, just in case, then blank it out
UPDATE mdl_config
SET value = ''
WHERE name = 'alternateloginurl'
Then purge the cache to update Moodle
php admin/cli/purge_caches.php
When you do manage to log in, check which other authentication methods are active via
Site administration > Plugins > Authentication > Manage authentication
https://docs.moodle.org/401/en/Managing_authentication
The default methods are manual and email self registration
Although self registration is disabled by default in the settings on the same page (registerauth)
I'm trying to use Form-Based Authentication feature of OWASP ZAP using ZAP's python API.
I noticed that while using a HTTP application (for example - http://demo.testfire.net/) it is able to spider and give additional URLs once logged in. However, when I try the same for HTTPS application it isn't fetching additional URLs once logged in.
My question here is - Does ZAP support Form-Based authentication for HTTP related web application only?
Yes, and we have a FAQ for it: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Its difficult to debug issues when just using the API, so I recommend using the UI first and once you've got that working then converting what you've done to the API.
Via the UI:
List item
Explore your app while proxying through ZAP
Login using a valid username and password
Define a Context, eg by right clicking the top node of your app in the Sites tab and selecting "Include in Context"
Find the 'Login request' in the Sites or History tab
Right click it and select "Flag as Context" / " Form-based Auth Login request"
Check that the Username and Password parameters are set correctly - they almost certainly wont be!
Find a string in a response which can be used to determine if the user is logged in or not
Highlight this string, right click and select "Flag as Context" / " Logged in/out Indicator" as relevant - you only need to set one of these, not both
Double click on the relevant Context node and navigate to the "Users" page - check the user details are correct, add any other users you want to use and enable them all
Navigate to the Context "Forced User" page and make sure the user you want to test is selected
The "Forced User Mode disabled - click to enable" button should now be enabled
Pressing this button in will cause ZAP to resend the authentication request whenever it detects that the user is no longer logged in, ie by using the 'logged in' or 'logged out' indicator.
Via the API the process is the same but using the API calls:
context/includeInContext
authentication/setAuthenticationMethod
authMethodName : formBasedAuthentication
authMethodConfigParams : loginUrl=http://example.com/login.html&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D
authentication/setLoginIndicator or setLogoutIndicator
forcedUser/setForcedUserModeEnabled
The values for authMethodConfigParams parameters must be URL encoded, in this case loginRequestData is username={%username%}&password={%password%}
Turn editing On button is showing in course page to authenticated users in Moodle.
I have tried editing authenticated users permissions but it is still there.
Seems like some permissions are overriding but i can't set it to default.
In the reports setting, capability block is showing following line:
moodle/course:update: Update course settings
I was struggling from 2 days with this issue, finally find solution. This might help someone in future.
Actually the scenario is that Every guest and loged in user is having same rights as "Authenticated user" in moodle. (version 3.0)
issue was that authenticated user is having right to edit course. There was no permission assigned to authenticated user except following:
block/community:myaddinstance
block/course_list:myaddinstance
block/course_overview:myaddinstance
Add a new random glossary entry block to Dashboard
block/html:myaddinstance
block/navigation:myaddinstance
block/news_items:myaddinstance
moodle/portfolio:export
moodle/user:manageownfiles
report/courseoverview:view
moodle/badges:earnbadge
moodle/calendar:manageownentries
moodle/comment:post
moodle/comment:view
moodle/course:sectionvisibility
moodle/course:viewhiddensections
moodle/rating:viewall
moodle/rating:viewany
block/online_users:viewlist
block/site_main_menu:addinstance
moodle/block:view
mod/folder:view
mod/imscp:view
mod/page:view
I turned the following permission to Prohibit and now turn editing on button is not showing to Authenticated Users. Still don't know which of the following worked for this issue. but any one struggling with this issue can overview complete list of permissions from this post.
moodle/comment:post
moodle/comment:view
moodle/course:sectionvisibility
moodle/course:viewhiddensections
moodle/rating:viewall
moodle/rating:viewany
block/online_users:viewlist
block/site_main_menu:addinstance
So, I've been at this for a while now, went through a bunch of different questions, and still no solution.
If I log in regularly, all is fine, I can logout as expected. But, if I login with facebook (authorize the app), then there is no way to logout unless I manually delete the cookies from within my browsers menu.
Following that logic, I wanted to destroy the cookies in the logout action using this code(after I modified my session settings to work across subdomains, for my particular case):
function logout() {
if ($this->Cookie->read('Auth.User')) {
$this->Cookie->delete('Auth.User');
}
$this->Auth->logout();
unset($_SESSION['fb_MYAPP_ID_user_id']);
unset($_COOKIE['fbm_MYAPP_ID']);
unset($_COOKIE['fbsr_MYAPP_ID']);
unset($_COOKIE['CAKEPHP']);
//pr($_SESSION);pr($_COOKIE);exit(); //here I see that the cookies are in fact deleted
$this->redirect($this->Auth->logout());
$this->redirect('/login');
}
But every time after the logout redirect it brings the user back, logged in, and the session/cookies recreated.
I went through a lot of SO questions and answers and none worked for me. Any ideas?
You cannot simply unset cookies from the cookie container, this is just the server side representation of the cookies contained in the request.
To delete cookies you need to set the exact same cookie (domain, path, name) but with an expiration that has passed - when read by the client this will cause the cookie to not be sent with the next request.
You can see how this is done in https://github.com/facebook/facebook-php-sdk/blob/master/src/base_facebook.php#L132.
I ended up using a combination of the following answers:
CakePHP + Facebook
$facebook->getSession() call breaks page below the call
The code on the first one is more complete, but is outdated. I also kept the unset() calls that I have in my question, and it seems to work good for now.
I am adding Facebook login to my existing asp.net application. I have added a Facebook login button to my login screen. Now, I click Facebook's login button and in IE 9 it throws client-side exception in all.js on Line 22: if(a.params)b.fbCallID=a.id;
Even after that exception I see the Facebook login screen and can log in, and in the main browser window I get the auth.login event, so I can live with that.
But, if I am already logged in to Facebook, I come to the page and click Facebook login button, I briefly see the empty popup window, then I get teh same client-side exception, and then I get no event in the main browser window, so I don't know if the user logged in so I can't redirect them to another page.
I tried the channelUrl trick but it didn't help.
Any suggestions what's going on?
I found this hack that fixed the issue for me; add this line right after you call FB.init():
// Hack to fix http://bugs.developers.facebook.net/show_bug.cgi?id=20168 for IE7/8/9
FB.UIServer.setLoadedNode = function (a, b) {
FB.UIServer._loadedNodes[a.id] = b;
};
The reason it is happening (from the websites and documents I have read, and believe me, I've read a LOT) is that IE refuses cross-site javascript, and it sees the all.js as crossing the sandbox border. A good discussion can be found here.
Some people say that adding the channel.html file works, but we have tried all flavors of that, and have not had any success. (Remember that the http or https must match the page sending the request.)
Microsoft makes reference to this same issue and their advice is to add the site to trusted sites (that doesn't help). Old advice (from last year) is to add CP="HONK" as your compact privacy policy, but I think that bug was fixed, and it was cookie-related.
What seems to be happening to us is that the login actually continues, and the callback gets called properly, but the main thread that should complete outside of the login call stops executing (because of the error). So, any functions outside the login fail to execute after the login call.
If anyone has a way to get IE to not throw the exception or to create a workaround for this issue, I am desperate to have it. Any info needed I will be happy to provide, but a sample is here:
enter code here
code before login here...
FB.login(function(response){
callback stuff here... This part fires.
});
main thread stuff here... This fails because of permission denied error.