mozilla / persona

Persona is a secure, distributed, and easy to use identification system.
https://login.persona.org
Other
1.83k stars 265 forks source link

Auto logout #4235

Open haani104 opened 8 years ago

haani104 commented 8 years ago

Hi,

I am using persona for a quite while now for my company's website. However recently I have started facing an issue where the logged in user gets immediately logged out.

Below is my implementation.

login.jade script(type='text/javascript', src='https://persona.mycompanydomain.com/production/include.js')

login.js

navigator.id.watch({
            loggedInUser: currentUser,
            onlogin: function (assertion) {
                $scope.loginProgress = true;
                merchantOnboardService.loginUser(assertion) //Calls my API at backend (Node.js)
                    .success(function (res) {
                        //redirects to One Time Password Screen (OTP)
                    })
                    .error(function (err) {
                        navigator.id.logout();
                    });
            },
            onlogout: function () {
                merchantOnboardService.logoutUser()
                    .success(function (res) {
                    })
                    .error(function (err) {
                    });
            }
        });

After verifying the assertion on server, I render an OTP screen (I display this screen for 90 seconds as assertion gets expired in 120 seconds, so call navigator.id.logout() in case 90 sec is over.)

OTP.jade script(type='text/javascript', src='https://persona.mycompanydomain.com/production/include.js')

OTP.js

navigator.id.watch({
    loggedInUser: email || null,
    onlogin: function () { },//no code here
    onlogout: function () {
        $.ajax({
            url: '/logout',//my backend route
            success: function () {
                window.location = '/login';
            },
            error: function (xhr, status, err) {
                window.location.reload();
                alert('Logout failure: ' + err);
            }
        });
    }
});

Once OTP is verified I render the home application to user.

index.jade script(type='text/javascript', src='https://persona.mycompanydomain.com/production/include.js')

index.js

navigator.id.watch({
            loggedInUser: currentUser,
            onlogin: function () {

            },
            onlogout: function () {
              console.log('onlogout called');
              $.ajax({
                url: '/logout',
                // This is a URL on your website.
                success: function () {
                  window.location = '/login';
                },
                error: function (xhr, status, err) {
                  window.location.reload();
                  alert('Logout failure: ' + err);
                }
              });
            }
          });

So the user is logged in and starts working on the panel but suddenly after 1-2 minutes the panels gets logged out. Upon debugging in console I found that below API gets called from my index.html page after a minute or so(curl call below) after which onlogout callback gets called.

curl 'https://persona.mycompanydomain.com/wsapi/list_emails' -H 'Cookie: browserid_state_390030=y_RjoiFp3t3YBEbPAyukgg.jn7pqMccJqd1gRdQYciPKNkCjUtwPyndbakdHlPuU7m2ReZihZRrsYOIQMt0JUZI5Sa1Jj5SicXAS0HSe241-k_YVnzJ0TPdsNIxkzU4iUJPp8O1bWdCVFJENYKyMPSOpWBJxT_trQqYnMzAbzCFeKqNNAbvmzrHUIzSRzsiTYfuAAQFj6WWj1_sHAoHXrqR.1472527936303.2419200000.YWN9s_xi3Cv5bIszoBeJlAiemVHli-jeLd0Gn7i6xuA; can_set_cookies=1; ff.sid=s%3AIy5P3abfktTDo45uvP0S3ri5IHDQ7uOY.YXnGFGDfTetwZWpDLITiY8gDLpWTXoI21YU%2FVH4mSVY' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'BrowserID-git-sha: bca03be' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36' -H 'Content-type: application/x-www-form-urlencoded' -H 'Accept: application/json;text/plain' -H 'Referer: https://persona.mycompanydomain.com/communication_iframe' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' --compressed

The response code is 200 but I see no data in it.

This logout issue started coming when I introduced a OTP layer between login and home page. If I disable the OTP of a user (i.e. no OTP screen, direct redirection to home page) the application works fine. Also this issue comes to only 10% of my users and not all.

I am not sure what I might be doing wrong here so any clue or guidance will be beneficial. Thanks in advance.

rfk commented 8 years ago

script(type='text/javascript', src='https://persona.mycompanydomain.com/production/include.js')

Are you hosting your own instance of Persona?

haani104 commented 8 years ago

Yes