I have a CSRF Token on the login page, which works as expected. So when user has the login page open for a long time (the token has expired in the background). When they enter their login credentials correctly, it tells them that the action is invalid because the token has expired and redirects them to login page again, where they can now successfully enter.
I think the behavior is as expected, because the CSRF token has become stale and an explicit action has fetched the correct token. The users hate it because they need to enter the login information twice.
ANy advice? This seems like a very common problem with CSRF on a login page that sits there for a long time..
Thanks and appreciate any help.
Given what you specify in the comment, I'd suggest you implement an automatic refresh set to around the same interval as the expiration of your CSRF tokens.
Just throw this into the <head> tag:
<meta http-equiv="refresh" content="300">
In this example, it will refresh every 5 minutes.
Related
Today I was looking into the <cfoauth> tag of ColdFusion 11.
Steps I followed:
I have created one app on Facebook using my local site url (http://cf11local.com/).
I got the client id and the secret key.
In Login.cfm I have used:
<cfoauth type="facebook"
clientid="***"
secretkey="************"
result="res"
redirecturi="http://cf11local.com/login.cfm"
scope=email>
I have successfully retrieved all my Facebook info in a structure format.
Now my question is:
How will I check in each page that the particular user is logged in using Facebook or not?
How will I implement the logout functionality by this?
To integrate facebook functionality into your site, you need to follow steps mentioned bellow:
Provide 'Login Via Facebook' option
Once the user clicks the Facebook login button, user will be asked to login to facebook if the user is not already logged in. If the user is already logged in, the user will be prompted with a popup to grant permissions to access information.
Once the user give permission or if the user already authorized your app, the user will be immediately redirected to your redirect url that you specified in oauth tag's redirecturi attribute along with the login info in a variable mentioned in oauth tag's result attribute. The result attribute will be a struct. (You have achieved this till now. Thanks for being patient.)Now to answer your question.
You need to keep this result variable into the session scope so that it can be accesed in the same session in other pages. You can do this using <cfset Session.fbinfo = #res#>
After this redirect the user to the desired page by using cflocation tag. <cflocation url = "desired page">
On every page, check whether the user's login info is in the session scope or not. If the session does not have the login information, redirect him to login page.<cfif (not isdefined('Session.fbinfo'))>
<cflocation url = "login page">
</cfif> If session has login info, well the user is free to access site.
Once the user logs out, you need to invalide the access token present in the session. You can do that using InvalidateOauthAccesstoken("access token", "facebook")
Clear the user information from the session. <cfset StructClear(Session)>
I have a purely server-side application that I'm writing that needs to pull a feed from a Facebook page. The page is "age-restricted (alcohol related)" so, doesn't allow the graph API access without an access token.
It works perfectly and returns a perfectly readable JSON feed if the access token is used:
https://graph.facebook.com/<page_id>/feed?access_token=<access_token>
The problem is that access tokens expire. Fortunately I have a "non-related" App_Id and can easily get a new access token by visiting in a browser:
https://www.facebook.com/dialog/oauth?client_id=<my_app_id>&redirect_uri=http://localhost:8080&scope=manage_pages&response_type=token
The first time I visit this URL (in a browser) it asks me to allow "App" to post to "My pages", and of course I say yes. It never asks me again. Now I just get redirected to a new URL, with an awesome access token in it.
http://localhost:8080/#access_token=<awesome-access-token>&expires_in=4482
I would typically just be able to read this value out of the querystring parameters, but I realised that it's a page framment (#) URL that cannot be read by the server-side code.
I also tried intercepting the first URL redirect, and reading out the 302 LOCATION header, but alas, it seems like a redirect chain.
How do I solve this problem?
I have a ColdFusion web page that gets refreshed by my server every x minutes. That script checks various feeds (Facebook, YouTube, and internal news items) and builds a merged feed in chronological order. The Facebook part just pulls post data from our Facebook Fan Page. I can do this with the OAuth token provided when I authorize my app from our account.
The token expires every couple of months or something I think. It lasts a pretty long while, and I have read there is no way to auto Authorize an app. I however keep reading about these refresh tokens or something but can't get a clear grasp on how they work.
I would like my script to attempt to get the JSON data from Facebook, and if the token expires every so often, re-request it, but it appears that just hitting the graphs.facebook.com/oauth/authorize link again doesn't work because obviously you need to be logged in for it to authorize something.
Is there anyway I can internally reauthorize or refresh my token server side. This Facebook app, site, and Facebook users are all completely internal. There used to be an RSS feed of facebook pages, but Facebook changes stuff all of the time and I don't see it anymore.
All I really need is the data from the timeline/feed for my Facebook Company Page.
Any solutions or suggestions would be helpful.
ANSWER: This is what I ended up using to get the data based on the content. Below grabs the token, then uses the token to grab the feed data and puts it into a struct. It may not be the most concise way, but it works.
<cfhttp url="https://graph.facebook.com/oauth/access_token?client_id=[CLIENTID]&client_secret=[CLIENTSECRET]&grant_type=client_credentials&redirect_uri=[URL] "
result="AccessHTTP" />
<cfset token = replace(AccessHTTP.Filecontent,"access_token=", "", "ALL")>
<cfhttp result="result" url="https://graph.facebook.com/[USERNAME]/posts?access_token=#token#" ></cfhttp>
<cfset Facebook = deserializeJSON(result.filecontent).data />
I just grab the token every time my page loads..
<cfhttp url="https://graph.facebook.com/oauth/access_token?client_id=your_client_id&client_secret=your_secret&grant_type=client_credentials" result="ThisHTTP" />
<cfset this.access_token = '#replace(ThisHTTP.Filecontent,"access_token=", "", "ALL")#'>
///Run Your Code Below using #this.access_token# when you need it. ///
I'm using the standard Facebook like button from their developers page, https://developers.facebook.com/docs/reference/plugins/like/
The only problem I'm having is that the page with the like button is on a page which requires the user to be logged in.
I've tried passing the variables to Facebook w/ the typical
<meta property="og:title" content="Test" />
When the like button is clicked, it shows up on facebook, but with the Title from the login page. Is there anyway around this?
The reason for this is that Facebook's servers will try to fetch the page your user is liking but they don't have the session cookie for your server to consider the request to come from a logged in user. One solution is to put some token on the URL you are linking to. Ex: xxx.yyy.xxx/securepage?fb=123456
Going to the secure page check if user logged in OR fb=someexpected value.
Token could be: CurrentTime + HMAC signature with your private secret. When you check the fbtoken check it against your private secret and that it is not to old to let facebook in.
So, Here is the scenario I am trying to fix.
A returning user is logged into facebook but not logged into the application. In this case when the user tries to load the application, since the user cookie is not attained yet, it redirects the user to the login page.
I googled around and found this solution,
FB.Event.subscribe('auth.sessionChange', function(response) {
if (response.session) {
window.location.reload();
}
}
basically whats happening here is, we are registering to facebook for a login/logout event and when it receives a response, we reload the page. Now its loads the right page since we have the user cookie on our site domain after the first load.
this works, but the problem is the double load. It takes a lot of time.
How can I attain the user cookie on server side for returning user? so that I don't have to do the initial page reload.
Also, I have looked at yelp, and somehow they are able to load the user information without doing double load, does anybody know how they are able to do it?
Any help is greatly appreciated,
Thanks!
Try using iframe to load login page again, just containing that; and you can pull data from iframe in sync.