I'm facing an issue in AEM6.1 were the users have an invalid login-token (due to having an expired session). They make a request to AEM author which then has an error because they are basically an anonymous user attempting to view a page. The access problem results in a 404. The ACS error page tries to handle it, but the error page like everything else on author is not readable to an anonymous user. So it has a Java exception, and the user is left with a white screen of death
The login-token cookies in the browser have no expiration. They appear to be configured to stick around until the session is closed by the users. I would like to set expiration on the login-token cookies.
I've research around but do not see how this is done. The aemstuff site http://www.aemstuff.com/#article964 points to "Apache Jackrabbit Oak TokenConfiguration" But this was already set to 43200000, and further changes do not effect the login cookie expiration as far as I can see.
My question for SO is; is there a way to set the login-token expiration on the cookie? It seems like a bug with "Apache Jackrabbit Oak TokenConfiguration" or is it?
Create Apache Jackrabbit Oak TokenConfiguration as a config node.
In case others face similar problems, here some of the things I learned about this
login-token expiration can be configured as suggested by disha. It is used on the backend only. I think its very typical for browser session cookies to not have an the expiry set.
The WSOD issue experienced may have been helped by adjusting this session timeout slightly less than the IDP timeout
I think it's very important to use Java 8 with AEM6.1 and perhaps other versions as well. When we upgraded from AEM6, Java 7 remained our running version. Possibly the SAML SSO uses Java 8 things. After going to Java 8, users never had the WSOD again.
Related
In my application I updated only the Shiro library, from shiro-all-1.2.6.jar to shiro-all-1.3.0.jar. I did not change any other libraries, nor configuration files, other than the build path to refer to the new Shiro library.
The logs show that the users do actually get logged in, but the server side is not accessible anymore, right after shiro login.
Trying to figure out what changed between 1.2.6.and 1.3.0, and what settings do I need to change, to make the application work as before.
Thanks a bunch!
-Alina.
After more digging, I found out that the connection to the server was lost due to the fact that in the process, a new session is created, as the initial session is lost.
When calling Session session = currentUser.getSession();, I expect to get the same session associated with the logged-in user. Instead, a new session is created, because the old one does not persist.
Again, this is happening with Shiro 1.3.0, but not with Shiro 1.2.6.
I am wondering if there is a setting that we need to apply, for the session to persist, and not get lost. I wonder if the session times out instantly.
This is basically the same question as How to get an access token without Box’s authorization page. I see that the Python package mentioned at the end (box.py) is no longer maintained because of support issues with Box. I suspect the solutions given might no longer work.
I'm just getting started with boxsdk and I want a way to periodically list the contents of my folder without requiring user interaction. This looks like the answer but it also seems very odd that a Developer Token, which is temporary, could be used for long-term queries like this.
I'm trying to work through boxsdk to see how I can implement the solution provided in 2014 but it would sure help to know whether or not it's still possible.
I just stumbled across this:
Introducing Developer Tokens
"There is no refresh token paired with the token"
That's from February 18, 2014.
I'm using WIF. I developed an STS that works well. The STS itself performs the login (basically using the pre-rolled code that comes with Microsoft MVC). So far we have two relying parties that can use the encrypted identity cookie just fine. Here's the thing: since all that code is in the STS, I want the STS to also do other functions like register new users, change passwords, etc. All that pre-rolled stuff. However, after a login, any request to a route in the STS (say, account/register or even account/login) fails with "Key not valid for use in specified state". I've spent quite a bit of time, and I have two working RPs to copy from in trying to configure this thing to decrypt the cookie. I'm concluding it's not configuration. I think maybe an STS will only respond to identity requests. Oddly, this all works on IIS express (on my laptop) but gives the above error on IIS. The first thought then, is certificate protection. However, when that is misconfigured you can't even log in, so I know the STS can access the certificate. Sorry it's all a bit vague but I'm hoping somebody has good ideas or domain knowledge. Thanks much-
you can ensure wif uses seperate cookies for the sts and each rp by naming them differently in your setup for each site (i.e stsauth, rp1auth, rp2auth)
You can set up the names explicitly on the ChunkedCookiedHandler object on each site at application start time.
var chunkedCookieHandler = new ChunkedCookieHandler {
RequireSsl = false,
Name = "stsauth",
Domain = domain,
PersistentSessionLifetime = new TimeSpan(0, 0, 30, 0)};
See here for the full code to do this:
a standard STS is only concerned with signin and signout. However, as many learn, there are many other flows that concern the "user" thing. There is change password, lost password, change email (in fact change any claim), refresh password, try to sign in, register, register with Facebook, .... There is no standard way of dealing with these.
We have solved this by extending the "actions" that can be sent to our STS. Instead of signin1.0 and signout 1.0 we allow a total set of 20 actions to be tapped in directly by our RPs.
Your STS should have its own cookies. It should never shared the cookie with one of the relying parties. That way you cannot normally have a problem of decrypting or encrypting keys.
I am a php developer. I created an application using fbml(non iframe) and didn't check roadmap regularly.
Today I received an email saying update to OAuth 2.0 and HTTPS by October 1st or the apps may be disabled.
I went through the documentation but could not get what exactly I am supposed to do.
From what I understood.
for https
we need to enable or buy ssl for our site and make https://example.com/facebookapps_folder/ accessible and fill the new url in Secure Canvas URL
Is that right?
I am confused about OAuth 2.0.For this do we need to change the whole code and libraries we are referring to.
Where can I get how do I change it.
I see some php examples but could not find clue what needs to be changed?
I think it is way authentication is being done, but I do I do that.
If I fail to do it immediately(as only 3 days left) is that any way I can save my application being disabled?
Make sure you have implemented Oauth2.0 for authentication .. Also you will need an SSL certificate for your app to support https:// protocol
My issue is about $_SERVER['HTTP_REFERER']. I can't get the value of http_referer on my server or may be due to Firefox. But I've also printed print_r($_SERVER); but still it doesn't provide me previous page's link.
This is directly from PHP.net
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
I'm thinking it may be a firefox issue. What version are you using?