I have used Shibboleth with manual login, meaning the user clicks the login link on a website which opens the external page where the Shibboleth login page is. Once authenticated it redirects them back to the original site to a Shibboleth enabled page.
My question is once logged in, and they go to another site, how can I authenticate them in automatically since they already have a Shibboleth session from the first site. Do they have to click an action like the first site which in turn will autologin them in with some implicit redirects the user doesn't see, or can I do this without the user clicking a login link without doing a check on every page load.
You can check for the presence of one of Shibboleth's headers, for example Shib_Authentication_Instant, and redirect if that's not present. You can do that on the server level rather than in your application logic, using, for example, mod_shib for Apache.
If you want to show "public content" and additional "member content", things get trickier. I guess you could have a landing page that requests some Shib-protected resource (1x1 invisible GIF with nonce in a query parameter, something AJAXy, whatever):
If your user is already Shib-authenticated, you can see that the resource is being loaded. (Otherwise, he'll be stuck in an invisible login dialog for that resource, which shouldn't matter, and you store that he's not authenticable in the session. This is not security-critical: if the user removes it, he'll go through the gif procedure again, and member content should depend on the headers that your shibbolized web server inserts for you anyway.)
But this is a crude hack, and usability depends on a "good" timeout for the marker gif request.
Related
I am attempting to implement a simple Facebook login flow for a web application using HTTP redirects, as detailed at https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2.
For the purposes of making this question generic, let's say the application URL is www.example.com/app.php. On the application page, there is a link which directs users to Facebook's OAuth endpoint, where ideally:
they log in to Facebook (if not already logged in) and approve my application permission to access their public profile
they are then redirected back to my application's URL along with some extra parameters appended (e.g. www.example.com/app.php?code=...&access_token=... if the login was successful, or www.example.com/app.php?error_reason=...&error=...&error_description=... if login/app approval was unsuccessful)
The Facebook OAuth endpoint is:
www.facebook.com/dialog/oauth?client_id=12345&redirect_uri=www.xyz.com/app.php
where I have filled in the client_id and redirect_uri parameters with my application's ID and my application's URL respectively.
What actually happens whenever I access the link is that it immediately redirects back to my application's homepage - without ever showing a login dialog of any kind. This happens with Firefox and with Chrome - both when I am logged in to Facebook and when I am not, in normal sessions and in incognito sessions with no plugins enabled. From the browser inspector, I can see that the Facebook OAuth page is definitely requested but is straight away 302 redirecting to my application page with just a code parameter appended.
www.example.com/app.php?code=...
This also happens when the Facebook OAuth link is accessed from pages other than my application's URL (e.g. if I click the link from www.example.com/other_page.htm).
I am unsure what I am doing wrong here; the application URL (www.example.com/app.php) is approved on my app dashboard in as many places as I could find, and changing the request_uri parameter to any other URL results in an error page. I have also tried urlencode()ing my application URL before passing it in the request_uri parameter, but the result remains the same. I don't know what to try next as as far as I can tell I have followed Facebook's manual login guide as closely as possible.
I have a script that sets some session values when the visitor hits the site (just visitor stats).
The user is then allowed to signup via twitter/facebook or via a "regular register" process.
Now when the user comes back from the twitter/facebook part of the login process the session values are cleared (but not unset).
The issue is that it only happens on one server (a clients server). On my own server and locally on my machine it's fine.
Is there a server/php.ini setting that may be causing some issues?
note: the facebook/twitter signin process re-directs to those sites as opposed to the "popup" window style of signing up - in case that makes a difference.
Haven't tried Twitter Login myself. But, Facebook, yes! From your footnote it is clear that you are using the PHP SDK for facebook which is not a very good(read-> g*ood looking*) choice. On October 3rd, Fb has released an updated version of Javascript SDK that you can use for the login. That workflow is beautiful. User clicks on your "Login with Facebook" button and a small pop-up opens up with the fb url and user authorizes and the pop-up goes away and the user is back on your site. With your current model, user clicks on the button and goes to another domain and then is again redirected. Check out the login with facebook from Miniclip.com and you would know what I am talking about.
As for your problem, without a look at your code, I feel the problem lies in the fact that PHP Session variables do not work cross-domain.
Picture this: user is on your site -> generates $_SESSION['id'] -> Now, redirected to Fb -> PHP $_SESSION is not going to work once they have left your domain -> -> you pull out your hair!!
Situation: I am developing a facebook canvas app. Facebook is sending my sever a POST request with the signed_request each time that a page is render. Inside my app I have all my links with target="_top" because if I don't, facebook send my server a common GET without the signed request. So I cann't check the user info.
Problem: It is too slow! even if I am testing it in local, each click that I press takes 1 sec to render and my canvas becomes completely white and then the info is shown, It will be a bad user experience.
My tests: If I remove the target=_top and I point all my links' href to my server without the app.facebook.com/whatever, it loads very quickly.
My doubts: Is there any security issue with this? If I point all the links to my server (no apps.facebook.com) I can not check the signed request, I will only check it in the main page..
Any advice? any tutorial? Do I have any misundestanding of this? (It is my first facebook app)
Have you read the Server-Side Authentication tutorial?
You're doing it wrong.
Once the users lands in your app you should keep all links in the same frame, loading the entire window along with facebook is completely redundant.
What you should do:
When you get the POST with the signed request, decode it and check if the user is authenticated, if he is persist the data (token and such) somewhere (session, db, cache).
If he is not authenticated send him to the auth dialog as noted in the tutorial, when he gets back exchange the code you get (in GET) for the token (also shown in the tutorial), then redirect him to http(s)://apps.facebook.com/YOUR_APP and you'll be posted with the authenticated signed request, save it, etc..
Since you persist the data, in every request that is not POST or don't include the signed_request check your persistency choice for the data, and use it.
There should be only two times where facebook sends you the request, once it is POST when your canvas is loaded, the 2nd is when the user returns from the authentication dialog, in which you either get the code parameter or error in case the user declined the authentication.
Other requests should be from your app (inside the iframe) into the app servers.
JDL,
I believe you are querying the graph API at each request (and that's why you always need the signed_request). Is this right?
The graph API is pretty slow (~ 1 second/query) and you should use only when necessary. For example, when you first receive the access_token you should save it in your session and query the graph API to retrieve the respective facebook user info. But then you should put the info you need about this user in your session and only refresh it (using the graph API) when the signed_request access token is different from the one you have saved in your session.
The behavior of adding _top to the target of your links is ok and a good practice within facebook canvas.
When a user visits my site "www.mysite.com" I set a cookie for that specific user.
Next the user goes to Facebook, lands on an application tab and clicks the like button. An external page "www.mysite.com/facebooktab.html" is loaded into the Facebook canvas.
1. Now, do I have access from facebooktab.html to the cookie I set on www.mysite.com earlier?
2. Does the page loaded into Facebook show the same behaviour as when I would just visit www.mysite.com/facebooktab.html in my browser, except that when the page is loaded within Facebook I have some additional user properties available to me (since user is logged in in Facebook)?
The critical difference between the two scenarios is that when your page is loaded directly, the cookies you set/read are "first party" cookies; when your page is loaded inside the Facebook framework, the cookies become "third party". Each browser has its own set of rules, but they all apply different policies to third-party cookies versus first party cookies. You mentioned you are initially setting the cookie directly on your website (first-party mode), and then only reading it when the page is inside Facebook (third-party mode). Most browsers will allow that with no restrictions, as they only apply stricter third-party policies to the writing of cookies and not reading. The exception is Firefox, which lumps reading and writing permissions together. If a Firefox user has cleared the "Accept third-party cookies" box in their configuration, your page on Facebook will not be able to read the cookie you set earlier even though it was set directly on your website.
In my website, a user can view all pages without sign in but some information not displayed. Also when a user sign in, user can view all details of every page. my problem is, user views home, profile, portfolio, account page..... some page then go to sign in. after sign in, my webiste(url) redirect to previous page (before sign in page). how can i do using perl
Include the URL to redirect to in a hidden input in the login form.
If you have the login form on each page, then just include it directly. If you have a link to the login form, then pass the previous page in the query string.
If the login is successful, then redirect by issuing a Location HTTP header. How you do that depends on the HTTP library you are using. e.g. you might use the header method from CGI.pm.
Make sure that that URL you redirect to is a real URL (e.g. by parsing it with URI) and that it is on your own domain to avoid XSS attacks and attempts to use your site to redirect people to spam.