subject:"4D Web Log Out"

RE: 4D Web Log Out

2019-03-04 Thread Epperlein, Lutz (agendo) via 4D_Tech

Hi Douglas,

> In our case we land the user at a login page which handles the httpAuth send 
> avoiding
> the nasty dialog.
> If the user is not authenticated they do not get in.  No problem there.
> If the user is authenticated then they are taken to the application (written 
> in Angular)
> At some point they will click the logout button/link and this would cause the 
> session to
> close (WEB CLOSE SESSION) and they are redirected to the login page.

Nearly the same what we do. I don't see a problem here.

> If they then typed in the index of the application index.shtml file the 
> browser was still
> passing in the old username and password so the client was getting through 
> the On
> Web Authentication and was issued with a new session ID and could use the 
> system as
> before the logout.

That's a bit strange and I don't understand it fully. 
Only one guess:
You mentioned Angular as the web framework (some call it platform, anyway).
I don't know the architecture of your web app, but it seems the problem is 
buried there. With Angular you produce so-called single page applications 
(SPA). That means that all the data entered are stored in the front end. 
Angular works with scopes, where the data is stored. So I think you have a 
scope containing the user credentials and if you go back to your start page 
this credentials are there in this scope yet. The start page isn't really a new 
page since you have single page application.
What you have to do is deleting them or destroying the scope after sending the 
credentials to server. Your current solution (see below) tries to locate the 
problem in the backend/the server. But I'm quite sure the problem is related to 
your frontend code and has nothing to do with 4D.
And for security reasons it is better to delete the credentials immediately 
after the login request, whether it is successful or not. 

Disclaimer: This hint is a guess as I said already since I don't know enough 
about your application.

Regards
Lutz 

> What I have done today is when the logout happens I now place a call using JS 
> from
> the logout page with invalid (null) credentials which causes the username and 
> password
> to be cleared.  Having carried out significant testing we have not been able 
> to get back
> in to an application page following a log out using this method.
> 
> Regards,  Dougie
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Web Log Out

2019-03-02 Thread Douglas Cryer via 4D_Tech

Lutz,

Re:
>  I'm not really understand your problem. What do you mean with "the browser 
> still persists with the username and password"? Does it mean that you > send 
> these credentials with every request to the web server?

> What we do is this:
> If the browser makes a request without a cookie or with wrong cookie, the 
> server sends a http 401 response and the user gets a login dialog, after
> checking the credentials on the server side the server sends a cookie. All 
> subsequent requests will carry the cookie, the browser does this for you. 
> And the server checks at every request if the cookie is valid.
> If the user press the logout button the server sends a cookie as a response 
> with a cookie expiration of 0 or an expiration date in the past.
> The built in 4D sessions work the same way AFAIK.

In our case we land the user at a login page which handles the httpAuth send 
avoiding the nasty dialog.
If the user is not authenticated they do not get in.  No problem there.
If the user is authenticated then they are taken to the application (written in 
Angular)
At some point they will click the logout button/link and this would cause the 
session to close (WEB CLOSE SESSION) and they are redirected to the login page.

If they then typed in the index of the application index.shtml file the browser 
was still passing in the old username and password so the client was getting 
through the On Web Authentication and was issued with a new session ID and 
could use the system as before the logout.

What I have done today is when the logout happens I now place a call using JS 
from the logout page with invalid (null) credentials which causes the username 
and password to be cleared.  Having carried out significant testing we have not 
been able to get back in to an application page following a log out using this 
method.

Regards,  Dougie

telekinetix Limited- J. Douglas Cryer
Phone : 01234 761759  Mobile : 07973 675 218
2nd Floor Broadway House, 4-6 The Broadway, Bedford MK40 2TE
Email : jdcr...@telekinetix.com  Web : http://www.telekinetix.com 

On 01/03/2019, 15:56, "4d_tech-boun...@lists.4d.com on behalf of 
4d_tech-requ...@lists.4d.com" <4d_tech-boun...@lists.4d.com on behalf of 
4d_tech-requ...@lists.4d.com> wrote:

I'm not really understand your problem. What do you mean with "the browser 
still persists with the username and password"? Does it mean that you send 
these credentials with every request to the web server?

What we do is this:
If the browser makes a request without a cookie or with wrong cookie, the 
server sends a http 401 response and the user gets a login dialog, after 
checking the credentials on the server side the server sends a cookie. All 
subsequent requests will carry the cookie, the browser does this for you. And 
the server checks at every request if the cookie is valid.
If the user press the logout button the server sends a cookie as a response 
with a cookie expiration of 0 or an expiration date in the past.
The built in 4D sessions work the same way AFAIK.

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: 4D Web Log Out

2019-03-01 Thread Epperlein, Lutz (agendo) via 4D_Tech

I'm not really understand your problem. What do you mean with "the browser 
still persists with the username and password"? Does it mean that you send 
these credentials with every request to the web server?

What we do is this:
If the browser makes a request without a cookie or with wrong cookie, the 
server sends a http 401 response and the user gets a login dialog, after 
checking the credentials on the server side the server sends a cookie. All 
subsequent requests will carry the cookie, the browser does this for you. And 
the server checks at every request if the cookie is valid.
If the user press the logout button the server sends a cookie as a response 
with a cookie expiration of 0 or an expiration date in the past.
The built in 4D sessions work the same way AFAIK.

Regards
Lutz

--  
Lutz Epperlein  
--
Agendo Gesellschaft für politische Planung mbH
Köpenicker Str. 9
10997 Berlin
http://www.agendo.de/
--



**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Web Log Out

2019-03-01 Thread Douglas Cryer via 4D_Tech

Dani,

Re: Have you looked at the "WEB CLOSE SESSION” command?
   That is probably what you are looking for assuming you are using the 
built in 4D sessions.

Yes I have looked extensively at that command and I am using it.  The examples 
all deal with how you would use it with regards the "On Web Connection" method 
and handling storage of session data for future use.

The problem is that the browser still persists with the username and password 
so it is able to re-authenticate getting a new session and continuing as if the 
user was OK.  The only way we can currently think of is to make a call from the 
logout page with invalid credentials forcing a rejection and thus resetting any 
good credentials that are persisting on the client.

We plan to try this today but I feel this is wrong and I must be missing 
something.

Regards,  Dougie


telekinetix Limited- J. Douglas Cryer
Phone : 01234 761759  Mobile : 07973 675 218
2nd Floor Broadway House, 4-6 The Broadway, Bedford MK40 2TE
Email : jdcr...@telekinetix.com  Web : http://www.telekinetix.com 





**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Web Log Out

2019-02-28 Thread Dani Beaubien via 4D_Tech

Have you looked at the "WEB CLOSE SESSION” command?

That is probably what you are looking for assuming you are using the built in 
4D sessions.

Dani Beaubien
Open Road Development

> On Feb 28, 2019, at 9:38 AM, Douglas Cryer via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> Hello folks,
> 
> Forgive me if this question has been asked many times before  but I am a bit 
> stumped.
> 
> Logging on to 4D via a web page is relatively simple wither using the nasty 
> dialog or rolling your own page to submit the httpauth details.
> 
> Logging off however is proving to be more difficult.
> 
> I can give the impression of logging off but the username and password seems 
> to persist on the client browser so re-entering a previously visited page 
> that pulls data just continues to work.  If I manually clear the browser 
> cookies then the access gets denied but the 4DSID cookie cannot be cleared by 
> javascript...
> 
> What are the correct steps to achieve this.  I need help...
> 
> Regards,  Dougie
> 
> 
> telekinetix Limited- J. Douglas Cryer
> Phone : 01234 761759  Mobile : 07973 675 218
> 2nd Floor Broadway House, 4-6 The Broadway, Bedford MK40 2TE
> Email : jdcr...@telekinetix.com  Web : http://www.telekinetix.com 
> 
> 
> 
> 
> 
> 
> **
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
> **

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

4D Web Log Out

2019-02-28 Thread Douglas Cryer via 4D_Tech

Hello folks,

Forgive me if this question has been asked many times before  but I am a bit 
stumped.

Logging on to 4D via a web page is relatively simple wither using the nasty 
dialog or rolling your own page to submit the httpauth details.

Logging off however is proving to be more difficult.

I can give the impression of logging off but the username and password seems to 
persist on the client browser so re-entering a previously visited page that 
pulls data just continues to work.  If I manually clear the browser cookies 
then the access gets denied but the 4DSID cookie cannot be cleared by 
javascript...

What are the correct steps to achieve this.  I need help...

Regards,  Dougie


telekinetix Limited- J. Douglas Cryer
Phone : 01234 761759  Mobile : 07973 675 218
2nd Floor Broadway House, 4-6 The Broadway, Bedford MK40 2TE
Email : jdcr...@telekinetix.com  Web : http://www.telekinetix.com 






**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: 4D Web Log Out

Re: 4D Web Log Out

RE: 4D Web Log Out

Re: 4D Web Log Out

Re: 4D Web Log Out

4D Web Log Out

6 matches

Site Navigation

Mail list logo

Footer information