Hello,

I want to navigate between differents apps. One of them is Web App and other is Reactive Web. 

My question is .. How I do to click in the URL of first page and then I go to the second page without ask for user login. 

I try with the same role but still asking me for a user login. 


Thank you,

Clara. 

Hi Clara,

The reason for the situation you describe is that currently the sessions in web traditional and modern web are different, so when your user navigates from one app to the other if there is no session yet it will ask for a login.

It will be solved permanently very soon but in the mean time you'll have to look for a way to pass the session/login between the apps.

Take a look at this forge component, it's a crude and simple example but it will show you the way.


Cheers

Hello Rui, We did it as you said to me.

We made a Screen with an link which have the URL from the site to we want to redirect.

Then I created a Blank Screen in the destiny with anonymous role check and a Preparation with User Login Server Action and voilá!


Thank you so much!!

Hello Clara and Rui Barbosa.


I don't know why, but somehow my post was deleted. I will repost it, so this thread is clear for everyone.

Thank you Rui Barbosa, for informing me via a private message.


My suggestion to Clara was to create an External URL to a Blank Screen with the Anonymous Role and execute the UserLogin Server Action in the Preparation of that screen. After that, it was just necessary to redirect to the screen she wants.


Clara, I'm glad you managed to do it :)


Kind regards,

Rui Barradas

Rui Barradas wrote:

Hello Clara and Rui Barbosa.


I don't know why, but somehow my post was deleted. I will repost it, so this thread is clear for everyone.

Thank you Rui Barbosa, for informing me via a private message.


My suggestion to Clara was to create an External URL to a Blank Screen with the Anonymous Role and execute the UserLogin Server Action in the Preparation of that screen. After that, it was just necessary to redirect to the screen she wants.


Clara, I'm glad you managed to do it :)


Kind regards,

Rui Barradas

I think that It was because my enviroment is broken and don't work as always and for this reason your message was delete. But I agree with you!! Sorry and again, thank you so much!


Clara & Rui,

I just wanted to give you both a heads up on security.

I do not know the implementation details but it looks like that anyone who has the URL to the anonymous page will get a valid session with a valid user once the redirect is completed.

This might pose a serious security risk.

@Rui, care to share a bit more about the implementation details?

Cheers

Hi Rui,

Thank you for the heads up.

I just gave Clara a possible way to address the problem. In my opinion, there are security issues associated with every single application that should be addressed and not just with this one.

I don't know the implementation details as well, but Clara could manage a session token (GUID) associated to the User with an expiration timeout (saving it in the Server Database) from the first application and validate that the token is still valid during the redirect to the second application. If not, then she just needs to redirect to an invalid permissions page.

Also, we don't know if these applications are for internal using or not. If so, there is no problem with this implementation, since the URL is not exposed to the Internet.


Thank you,

Rui Barradas

Precisely my point.

What you proposed Clara initially is inherently insecure and not a best practice.

It doesn't matter if it is an internal network or not, otherwise the application would have all pages as anonymous.

For this I will uncheck your post from Marked as Solution so users are not mislead. 

Showing how to authenticate users between apps using tokens, like you suggested, is the objective of the forge component mentioned.

Cheers

Rui,


Actually, I don't agree with you at all.


I used this exact same practice in some of my applications and never had a single security issue. Besides, we had an external team executing some intrusion tests in those same applications and there were no security points pointed by them. It's all about the logic that is behind the implementation to control and validate the navigation. But the navigation itself is performed exactly like I suggested.


The solution I gave is perfectly fine, since it resolves Clara's original problem (which is only the navigation between different applications). For this, you should keep my post as "Marked as Solution". The rest (for instance, security issues) it's pointed by you and it is not mentioned in the original post. Despite of that, the control of the navigation is all about the logic that is behind the navigation.


I don't know the forge component that you mentioned, but in my case we created our own engine to create and manage a session token that controls a valid session for a user. But you can implement any other engine that fits your needs in order to address this. Like I said, it's all about the logic behind the navigation :)


Thank you,

Rui Barradas

Rui,

My only point was that your initial solution was incomplete and I gave you the opportunity to elaborate on it, which you did and I thank you for it.

Creating an anonymous screen with an automatic login of a user is a security risk, other wise you wouldn't have created your "own engine to create and manage a session token that controls a valid session for a user" like you mention above.

For someone else browsing the forum, finding that post marked as solution without reading further, will induce them in error or at least to a potencial security risk.

We can't have that.

I'm tempted to mark the above post as a solution since you mention the token management system and the navigation logic, but your sentence "The solution I gave is perfectly fine, since it resolves Clara's original problem (which is only the navigation between different applications)." really doesn't help the new users since they may not be aware of the potencial security risk which comes after.

I would like to propose that you do another post (or edit the above) detailing the complete solution so that the entire community can benefit.


Solution

Hello again,

I will make it clear for everyone as you suggested :)


As I said before, my suggestion to Clara was to create an External URL to a Blank Screen with the Anonymous Role and execute the UserLogin Server Action in the Preparation of that screen. After that, it was just necessary to redirect to the screen she wants.


However, like every single application and functionality, security issues should always be taken into consideration in the middle of the development plan. In this particular scenario, as Rui Barbosa said above, someone who has access to the URL may get a valid session into the second application if this is not properly addressed.


I used this exact same practice in some of my applications in the past. To address this security issue, our team implemented an engine to create and manage a session token that controls a valid session for a user. This engine allows you to control the flow of the navigation between the screens. Basically, we manage a session token associated to the user with an expiration timeout from the first application and validate that the token is still valid during the redirect to the second application. It it's not valid, one just needs to redirect to an invalid permissions page.


There might be other ways to do this. It's all about the logic behind the navigation. You can implement any other engine that fits your needs in order to address these security issues.


Hope it helps.

Kind regards,

Rui Barradas

Solution