security - Securing an OAuth / OpenID Connect identity in a cookie for easy login -

-

I have a website that uses the Azure Active Directory or Google+ to sign in. I have their identities through an OAuth2 login flow and the users

the user email address, and foreign resources (tokens and other things) are stored using an email address as a foreign key. Right now I am saving the user's email address in a heavily encrypted string, and when the page loads, I find the cookie, decrypt it, and find the email address and open that account.

Is it safe? Is there a good pattern to keep users identifiable?

Tablets:

I do not want to force my users to log in every time

But More important

It needs to be safe.

For the Azure Eddy part, you can use our web sign just on any sample Configure the cookie to be consistent The cookies produced by the OWIN middleware are signed and encrypted, so you will be fine on that side, but this will not save you from the general issues of the session's stubbornness. It is not recommended because this is all Types of terms Will continue to do so - it will be impossible to cancel the token of Azure Eddy (unless you have a server side logic that attempts to redeem the latest token in every new session), you will open walking-ins, cookie The attack scenario on theft and lost equipment, and so on. "I do not want to force my users to login every time they go to the website." It can be persuaded by your users that often your maximum probability is that your users are entertaining a session with that identification system at all times - which means that if you have made your web site a SSO with that identification system , The user will also experience a smooth sign if you do not live in sessions, then what you lose is that you want Semi-finely not sure that the user's identity will have an active session with the system, but you can achieve a lot in the period of security - for example the user can not sign in because he is removed from that directory That's why he has not reached so far. Hhh v

Comments

Post a Comment

Popular posts from this blog

php - PDO bindParam() fatal error -

-
I am trying to learn PDO, now I have written this small code, but it gives me a serious error: < P> Fatal error: Call a member function at a non-object dot () ... $ con = new mysqli ("127.0.0.1", "root", "", "csvdangercheck"); $ Query = $ con- & gt; ("Id,` var1`, `var2`) values ​​(" id,: var1,: var2) ";); $ query- & gt; bypass pattern (': id', $ id); $ query- & gt; BindParam (': var1', $ VAL1); $ Query- & gt; bindParam (': var2', $ val2); $ Query-> Executed (); I Trying to use print_r ($ con-> errorInfo ()) but Fatal error: Undefined method mysqli :: errorInfo ( ) ... can someone tell me what am I missing? Flaffeh said, you have PDO Missing Mysqy, try it: $ con = new PDO ('mysql: host = 127.0.0.1; dbname = csvdangercheck', 'root', '');
Read more

logging - How can I log both the Request.InputStream and Response.OutputStream traffic in my ASP.NET MVC3 Application for specific Actions? -

-
For a specific set of tasks, I need to log in to the incoming request inputstream as well as outgoing response. is. I am using an ActionFilterAttribute for this and overriding the OnActionExecuted and OnResultExecuted methods. So I'm starting with this idea ... Public category ActionLoggerAttribute: ActionFilterArrbit {Public Override Zero On-Offed Execution (ActionActioned Contact Filter Filter) {base.OnActionAxecuted (FilterContext); HttpRequestBase request = filterContext.HttpContext.Request; // TODO: Log the request. InputStream} Public Override Zero OnResultExecuted (ResultExecutedContext FilterContext) {base.OnResultExecuted (filterContext); HTTPRPSPointBase Response = FilterContacts Hpptex response; // TODO: Log on Response.OutputStream}} Ideally I'll hook it up with enterprise library logging because I'm already using it for error logging. Am I reaching the input and output stream at the right time? Can I easily use the Enterprise Library to log i
Read more

java - Why my included JSP file won't get processed correctly? -

-
I am trying to create Java web framework (and learning), and on the basis of 'Code Generator In the process of making the material view of the database in the process of development, I stumbled into a difficulty, which I do not know how to solve it. First of all, I want the following index.jsp : & lt; Body & gt; Use all pages to be created. & Lt;% @ include file = "header.jsp"% & gt; & Lt; Hours / & gt; & Lt;% @ included file = "body.jsp"%> & Lt; Hours / & gt; & Lt;% @ include file = "footer.jsp"% & gt; & Lt; / Body & gt; And, in body.jsp , I should have it like this: & lt; Jsp: include page = "$ {Application_modul}"%> Where application_modul is an attribute defined in its controller: request.setAttribute ("application_modul", "USER_ACCOUNT \\ ' View_user_account.jsp "); This file can be found properly, but the processed JSP does
Read more