token-session | Simple token-based sessions | Authentication library
kandi X-RAY | token-session Summary
kandi X-RAY | token-session Summary
Simple token-based sessions
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of token-session
token-session Key Features
token-session Examples and Code Snippets
Lines of Code : 18License : Permissive (MIT License)
Copypublic boolean isSessionExpired(Cookie refreshCookie) {
if (isRememberMe(refreshCookie)) { //no session expiration for "remember me"
return false;
}
//read non-remember-me session length in secs
int v Community Discussions
Trending Discussions on token-session
QUESTION
We have a simple scenario but technologies(or implementation) have made things bit complex -
We have Sitecore as CMS for client's main web site and for business functionality we have Dynamics 365 Portal and we are using Azure AD B2C as identity provider for both.
We have heavily customised B2C custom policy to cater specific requirements.
We are using same custom policy in Sitecore and in Dynamics 365 Portals so sign in individually and works perfect without any issues.
With regards to SSO, we have kept the configuration as OOTB as you can find it here.
Only 1 or 2 user journeys are absolutely perfect as good as seamless journeys. In specific journeys we need user to be logged in both ends to make it work (we can force user to go to sign in page, but it is not required on all the pages).
In order to understand how real and proper SSO should work in Azure AD B2C, I have no idea or experience to relate this process to. so I am looking for guidance and help here.
I found very good information in this about how B2C works in terms of signin and providing tokens process but it bit old question and things have changed a lot since then specifically UI and some of the operations.
...ANSWER
Answered 2019-Nov-12 at 19:12Use the following docs when configuring sessions management for a custom policy. Session Behavior section is where you define which SSO behavior. Specifically:
If you want your users to get SSO between all applications, then define this value as "Tenant". There are several useful scenarios in creating separation between sessions - such as a company that has multiple brands that do not want to conflict each other. Or a separation of experiences.
Follow the exact format and location to be placed in your policy or you will not get the desired result.
Another concept that is important is the understanding the session provider:
SSO session management has two parts. The first deals with the user's interactions directly with Azure AD B2C and the other deals with the user's interactions with external parties such as Facebook. Azure AD B2C does not override or bypass SSO sessions that might be held by external parties. Rather the route through Azure AD B2C to get to the external party is “remembered”, avoiding the need to reprompt the user to select their social or enterprise identity provider. The ultimate SSO decision remains with the external party.
Session providers are used to define maintain what goes into generating the session when your policy is being executed (inside the Identity Experience Framework). If marked incorrectly, this could lead to undesirable results such as wrong claims being sent, additional MFA prompts, parts of your policy not being maintained when ran or just general errors.
QUESTION
If we develop a native application for B2C and after user logs in he clicks a link which is a web application with B2C same tenant. And if the SSO settings in B2C are set to tenant.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-token-session-sso
Can we achieve SSO i.e. a user is not asked to re-enter credentials?
...ANSWER
Answered 2019-Jan-11 at 05:59Independent of how the different applications are registered with the Azure AD B2C tenant and what the SSO options are set to, the SSO session is implemented by a browser cookie/s that is maintained by Azure AD B2C in the browser session.
So, if you can share the browser cookies between your native app and your web site on the same device, then you should experience SSO between the two apps.
Authentication libraries, such as AppAuth for Android, AppAuth for iOS, Microsoft Authentication Library (MSAL) for Android and MSAL for iOS, implement the browser integration between your native app and Azure AD B2C for you. They also implement "the best current practice [which] is to perform the OAuth authorization request in an external user agent (typically the browser) rather than an embedded user agent (such as one implemented with web-views)."
It's a bit challenging to follow whether the native platforms do allow the browser cookies to be shared between apps and sites on the same device but I'll attempt to summarize my current understanding.
For Android, AppAuth and MSAL use Chrome Custom Tabs, which does allow the cookie data ("the cookie jar") to be shared so "users don't have to log in to sites [e.g. Azure AD B2C] they are already connected to".
For iOS 11, AppAuth and MSAL use SFAuthenticationSession, which does allow the cookie data to be shared but "users are prompted by a dialog to give explicit consent" to do so.
For iOS 10 and 9, AppAuth and MSAL use SFSafariViewController, which also does allow the cookie data to be shared.
QUESTION
When using custom policies:
- How do I configure the Session Behavior?
- How do I configure Token lifetimes?
ANSWER
Answered 2018-May-14 at 21:57QUESTION
As per Azure AD B2C documentation we can configure SSO for Azure AD B2C application. We want our user to do self-registration for the application thus opted for AD B2C.
However after creating B2C tenant account and configuring all the policies. I am unable to find option to configure SSO. Since after 30th Nov 2017, Active Directory will only be available in new portal. Kindly provide reference wrt new portal.
. Any help will be appreciated.
Thanks in advance.
...ANSWER
Answered 2017-Nov-17 at 07:07As the document in the your question said,if you have multiple applications and policies in your B2C tenant, you can manage user interactions across them using the Single sign-on configuration property. You can also add external identity provider like Google, Facebook and etc.
If you want to know how it works and how to configure SSO in Azure AD B2C, you can refer to this document.
Also, If you want to configure SSO for applications in your B2C tenant(the Directory).
Go to Azure portal > Enterprise applications> Add Non-gallery applications or in applications in Gallery.
After adding apps in Enterprise applications, you can select your app and enable SSO for it.
Hope this helps!
Update
Adding custom applications requires Azure AD Premium.
You can also active Azure Active Directory Premium free for one month.
Now, you can add your own custom applications in Enterprise Applications and then configure SSO for it:
QUESTION
I create a custom page in admin panel and whant's to add "save" button in it. I get link ($save_table_link) to my controller function, that's save data, like so:
...ANSWER
Answered 2018-Feb-16 at 05:28As far as I know the link for any admin module in opencart needs to have token. If it doesn't have the token it will not recognise the user session, hence you get that error & get logged out.
Try replacing this
$this->url->link('module/xml_auto_upload/save_table', 'user_token=' . $this->session->data['token'], true)
to
$this->url->link('module/xml_auto_upload/save_table', 'token=' . $this->session->data['token'], true)
QUESTION
I am able to retrieve refresh tokens for my custom B2C policies but would like to increase the token lifetime to the max limit or set the sliding window lifetime to No Expiry.
This was able to be done via the Azure Portal B2C settings for Basic policies but is not available in the portal for custom policies.
How can I configure this in my policies?
...ANSWER
Answered 2017-Aug-07 at 21:52Check out this article.
Specifically add the following in your RP technical profile.
QUESTION
It looks like Firebase, when they moved from the v2 to v3.x SDKs (and now into v4), decided to remove the option for automatic session expiration in favor of the always-authenticated model.
- Firebase 3.x - Token / Session Expiration
- https://groups.google.com/forum/#!topic/firebase-talk/uYMlQny1Jb4
This is a nice feature to offer, but from a cybersecurity perspective, I see some problems as this is the only option for the Firebase SDKs with Firebase-generated tokens such as email and password authentication (some of which are explained well in the linked google group discussion).
The commonly-provided suggestion to call user.signOut() on page exit has some holes. Namely, if the client crashes, then this code is never executed and therefore the strategy falls apart. The "sign out on page load" suggestion also has holes in it:
- Forces all users to log in every time the page loads/reloads (not the goal)
- As Firebase pushes most everything to the client, there is nothing stopping someone for creating a script that attempts to access a targeted Firebase without having the
user.signOut()
I'm looking for a strategy that does a better job, from a cybersecurity perspective, that allows a user to opt in to the "always-authenticated" strategy if he/she so chooses, rather than it being the default (i.e. with a "Remember Me" button).
One strategy I came up with is as follows:
- User signs in
- Get the generated JWT for that session and write it to Firebase
- If the user didn't select "remember me" on sign in, set up an onDisconnect handler that clears the token from the list of that users tokens
- In Firebase security rules, ensure that the JWT for the user making the request is in the list of tokens for that user
This feels more secure because the onDisconnect method will still execute even if the browser crashes. But, the JWT is not available as a Firebase rules variable (only the contents of the token)!
In light of these issues/flawed approaches, how can I invalidate a session after the browser closes/crashes (or even after a pre-determined period of time) with a Firebase-generated token?
...ANSWER
Answered 2017-Jul-06 at 22:46here is a suggestion: The ID token has an auth_time field. This is the time the user authenticated, you can force whatever session length you want. You can enforce that if you validate the token on your server or via database rules using https://firebase.google.com/docs/reference/security/database/#now and auth.token.auth_time. Check https://firebase.google.com/docs/reference/security/database/#authtoken.
You would require the user reauthenticate to access the data. Reauthentication will update the auth_time in the token.
This is a better approach since keeping track of all ID tokens will not scale well and ID tokens expire after an hour and new ones will be refreshed after the user returns to the app but will maintain the same auth_time.
Not sure if this will alleviate your concerns but Firebase is looking into the following features:
- The ability to specify persistence for web authentication. This is similar to how sessionOnly auth worked in Firebase 3.x. This will make "Remember Me" functionality easy to implement.
- The ability to revoke sessions.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install token-session
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
