Unable to get idsrv cookie to timeout instead of be persistent - identityserver3

I have a problem where my idsrv cookie never seems to have a physical expiry time. So users on shared computers are logging in as each other because nobody appears to close their browser to kill this cookie.
Can someone please shed some light on what I should be doing?

You need to use persistent cookies to set the expiration, this will persist the cookie over browser sessions but also allow you to set the expiry. You don't mention which version of ASP.NET you're using but here's an example using aspnet core (the third parameter here must be true to persist the cookie):
var result =
await _signInManager.PasswordSignInAsync(model.Email, model.Password, true, true);
There are other ways to sign in but one way or another you'll have an overload that will allow you to set the persistent flag.
Then elsewhere you need to set the expiry when setting up cookie options you can specify the expiry time, e.g. if using Asp.Net Identity:
services.AddIdentity<ApplicationUser, IdentityRole>(
o => o.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(30));
(Bear in mind that if you are on core and you upgrade to or use v2.0 you'll need to use services.ConfigureApplicationCookie instead, see here).
Of course this might not eliminate your users swapping machines within the expiration period but you can make the expiry small. What you can also do is use the SlidingExpiration flag alongside the expiry:
The SlidingExpiration is set to true to instruct the middleware to re-issue a new cookie with a new expiration time any time it processes a request which is more than halfway through the expiration window.
Meaning you can decrease the expiration time and so long as the user is still active they'll get new cookies. So the above code could be adjusted to:
services.AddIdentity<ApplicationUser, IdentityRole>(o =>
{
o.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(10);
o.Cookies.ApplicationCookie.SlidingExpiration = true;
});

Related

How to specify the domain of cookie with Scala and Play

I want cookies which is set from test.domain.com to be set for .domain.com so that that it can still be used from anothertest.domain.com. Basically cookies should be shared between subdomains.
I called backend deployed at test.domain.com and set cookies with OK response as follows:
Ok("some response").withCookies(Cookie("id", id), Cookie("token", token))
And in application.conf I have set the session domain to ".domain.com"-
session {
\#Sets the cookie to be sent only over HTTPS.
\#secure = true
\#Sets the cookie to be accessed only by the server.
\#httpOnly = true
\#Sets the max-age field of the cookie to 5 minutes.
\#NOTE: this only sets when the browser will discard the cookie. Play will consider any
\#cookie value with a valid signature to be a valid session forever. To implement a server side session timeout,
\#you need to put a timestamp in the session and check it at regular intervals to possibly expire it.
\#maxAge = 300
\#Sets the domain on the session cookie.
domain = ".domain.com"
}
However, the cookie is being set for test.domain.com rather than .domain.com.
I want to use this cookie with anothertest.domain.com .
Can you please help me with this.
You don't have to change the configuration, you can add all attributes of a cookie when creating it.
Cookie("bla", bla).withDomain(xxx)
// Or
Cookie("bla", bla, domain = XXX)
(Not sure of exact name, I don't have documentation with me right now)

Set default Global XSS filter- Session - CodeIgniter 3x

Hope someone can help me explain some of my questions in order:
1. When i set application/config/config.php:
Determines whether the XSS filter is always active when GET, POST or
COOKIE data is encountered.
$config['global_xss_filtering'] = TRUE;
So if I set the default value is FALSE. What benefits will I get? For example, the performance or processing speed of the server?
2. Session
function save(){
$data = $this->input->post('number',TRUE);
$this->session->set_userdata('TEST',$data);
}
//Suppose Client request GET to action
function insert(){
$num = $this->session->userdata('TEST');
//Do I need to filter data in session?
$num_clean = $this->security->xss_clean($num );
$this->model->run_insert($num_clean);
}
I do not trust the user. And I still do not understand much about: session activity
The server just sends the ID Session to the client. Does the server send the data, which I set up to the session, to the client?
Best way xss_clean for session Which i am using is: Filter the client data by xss_clean input class. Is that enough? And need to re-filter session again?
Hope someone helped me because I just using only Codeigniter's XSS filter. Thanks
part 1:
From CodeIgniter User Guide Version 2.2.6
XSS Filtering
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
So answerto your 1st part of question : yes ,
setting $config['global_xss_filtering'] = false; has performance benefits. also in codeigniter 3 its This feature is DEPRECATED. So i prefer to set it false.
part 2 :
Session is different from cookie
Unlike a cookie, the information is not stored on the users computer. So when you store a session ,its safe to trust the session data.
session data are stored in server. Most sessions set a user-key on the user's computer that looks something like this: 765487cf34ert8dede5a562e4f3a7e12. Then, when a session is opened on another page, it scans the computer for a user-key. If there is a match, it accesses that session, if not, it starts a new session.
here is a simple guide to session to read https://www.w3schools.com/php/php_sessions.asp
deftailed one : http://php.net/manual/en/intro.session.php
in short $num_clean = $this->security->xss_clean($num ); this is unnecessary.

How to get the current user using jsonwebtoken in Sails.js?

I've been working with Sails since couple of weeks ago, I came from Rails and I don't have any experience working with Node.js.
Now I'm trying to make a robust token authentication using jsonwebtoken.
https://github.com/auth0/node-jsonwebtoken
I followed this guide http://thesabbir.com/how-to-use-json-web-token-authentication-with-sails-js/ and everything worked fine.
I'm able to make a sign up, sign in and then use the token correctly for different actions.
Now, there are some actions where I'd like to use the login user,
something like devise current_user helper.
For example, when creating a comment, this comment should belongs to the current user.
Using Sabbir Ahmed guide, in the line 33 from the isAuthorized.js policy the token gets decrypted so I can get the current user id from there.
So, my question is, what should be the best way to get the current user and be able to use it later in some controller?
For example I tried something like:
# isAuthorized.js line 34, after getting decrypted token
User.findOne({id: token.id}).exec(function findOneCB(err, found){
currentUser = found;
});
But, on this way, because this is an async action I can't use this currentUser in a controller.
I want to store the current user in order to be able to use it later in some controller without repeated the same code in each controller, something like a helper or maybe a service.
The trick is where you place the next(). Since you are making an async call, the control should only be transferred to next policy/ controller once the database action is competed.
You should modify the policy to:
User.findOne({id: token.id}).exec(function findOneCB(err, found){
if(err) next(err);
req.currentUser = found;
next();
});
And you should be able to access the user details in controllers that use isAuthorized policy via req.currentUser
If by
For example, when creating a comment, this comment should belongs to the current user.
what you mean is certain attributes like username, and country etc, rather than querying the database after verification, what you can choose to do is to send these additional attributes to jwToken.issue in api/controllers/UsersController.js
eg.
jwToken.issue({
id: user.id,
username: user.name,
country: user.country
})
How that helps is, you can keep api/policies/isAuthorized.js as is, and in all the controllers that you use in the future, you can access the payload values from as
token.username or token.country
Instead of having to query the database again, thereby saving you valuable response time.
Beware however, of the data you choose to send in the token (you could also send {user:user} if you want to) however, as the secret key or hashing is not required to decrypt the payload as you can figure # jwt.io , you might want to exercise restraint.

Cookie expiry time being set to "Session" when I set it to epoch with GWT

I'm trying to remove a cookie in a GWT application that I have. I first tried using Cookies.removeCookie, but it didn't seem to have any effect. I'm fairly certain this is because removeCookie doesn't let you specify the domain and path.
I'm trying now by setting the cookie to expire at the epoch time, but when I check in chrome's dev tools, the cookie's expiry time is set to "Session", it's not removed immediately as I expected.
Here's what I'm using. I'm using the same parameters I used when I set the cookie, the only difference is the value and the date.
boolean secureCookie = "https:".equalsIgnoreCase(Window.Location.getProtocol());
Cookies.setCookie("cookieName", "", new Date(0), null, "/", secureCookie);
Seems like in
boolean secureCookie = "https:".equalsIgnoreCase(Window.Location.getProtocol());
you have a stray : after "https" (since Window.Location.getProtocol() will presumably return "https", not "https:".) So, you are failing to set the cookie as "secure", and the result is quite expected.

Setting cookies in mojolicious response

How do i set a cookie in mojolicious response and later read it from the request. I tried different ways but none of them set cookie on the response object.
tried these ways
$self->res->cookies({name => 'foo', value => 'bar'});
$self->res->headers->set_cookie('foo=bar');
$self->res->headers->cookie('foo=bar');
plz, help!!
thanks.
You can use the shortcut methods directly from the controller:
# Set
$self->cookie(foo => 'bar');
# Get
$self->cookie('foo');
http://mojolicio.us/perldoc/Mojolicious/Controller#cookie
However, if your intent is simply to store a value and retrieve it on subsequent requests, there's no need to set cookies directly. Mojolicious sessions use signed cookies by default, will handle the complexities of the cookies, and will verify that the values have not been changed by the client.
# Set
$self->session(foo => 'bar');
# Get
$self->session('foo');
http://mojolicio.us/perldoc/Mojolicious/Controller#session
If sessions are the best solution for you, make sure you set your app secret. Also, check out:
http://mojocasts.com/e4#Session