New post
Question
· Aug 17, 2017

Server-side way to disable logins for all users

#Authentication #ZEN #Caché

Hello all,

In my ZEN login page, I found a way  to bypass the submit button and force a user to click on the Sign In button, thus forcing the code to call my OnSubmit(), like this:

<!--ondefault="return true;"--><!-- this removes the ability to use "return" to login forces button click to login -->

<loginForm id="loginForm"   ondefault="return true;">

<text name="CacheUserName" />
<password name="CachePassword" />
<!-- the submit button is special, and submits automatically without checking first -->
<!--<submit caption="Login" id="login"  /> -->
<button caption="Login" id="login" onclick="zenPage.onsubmit()/>
<
</loginForm>

ClientMethod onsubmit() [ Language = javascript ]
{

if (zenPage.getProperty('LoginsDisabled') == '1') {
alert('Logins are currently disabled');
return false;
}

var form this.getComponentById('loginForm')
var x=form.submit();
return true;
}

In effect, this allows us to disable logins for all users, with the stroke of one global setting.

This works, and we're able to set a flag (which the LoginsDisabled property reads) to disable logins.  There's a HUGE problem with this -- it's in the clear, in javascript code.

Question: is there any way to do this on the server side, so that prying eyes can't get around it?

Note: I changed this method to a ZenMethod, but there is no server-side method to submit() the form -- only a client-side method.

Discussion (4)0
Log in or sign up to continue
Timothy Leavitt · Aug 17, 2017

To provide server-side enforcement as well (from a security perspective, in addition to what you have client-side to provide a nicer experience for well-behaved users), you should be able to use %CSP.SessionEvents with OnLogin overridden to check a global (or something) and return an error set %session.EndSession = 1 if logins are disabled. This class would need to be set up for the web application(s) through which your application is accessed - see "Event Class" here.

0 0
Timothy Leavitt Aug 18, 2017 to Laura Cavanaugh

After actually trying out my own suggestion, I think this would actually be better:

ClassMethod OnLogin() As %Status
{
    #dim %session As %CSP.Session
    If $Get(^ZPMGSYSTEM("%DOWNFLAG")) = 1 {
        Set %session.EndSession = 1
    }
    Quit $$$OK
}

My original suggestion doesn't actually end the session, it just results in an error response for one request. Trying to load the desired page again seems to actually work in that case.

0 0
Laura Cavanaugh · Aug 17, 2017

Hi Timothy,

Yes, indeed, thanks.  I already have a SessionEvents class set up for all my web applications involved, so I stuck in this method:

ClassMethod OnLogin() As %Status
{
if ^ZPMGSYSTEM("%DOWNFLAG")=1 quit $$$ERROR($$$GeneralError,"Logins are currently disabled")
quit 1
}
 

This caused an actual login that got around our flag (via special testing, in this case) to get a response of 

Not Found

The requested URL /Works/PMG.Works.Home.cls was not found on this server.

Is that the expected behavior?

So, I would say this works.  Unfortunately, it also removes my backdoor -- it keeps out everyone!  I guess I could add a little backdoor into this method as well; a screen door, if you will, on my back door.

0 0