- The application checks for a valid session on every page request. It displays an error message and reverts to the login page if the session has expired or contains invalid user information.
- Users with default passwords are automatically redirected to the Change Password screen and are not allowed access to any other screens until their passwords have been changed.
Man, it feels like I did a lot more work, but really, that's it in a nutshell. Really, getting the entire authentication functionality done in one day is making pretty good time. I haven't started adding functionality for role-based security yet. Now, if a user is logged in, they have access to everything.
So the User controller is as done as it can get until I add functionality for all the stuff that users are linked to.
I'm ticking bugs off my list faster than I'm adding them, so I guess that's good news.
One thing that's a bit different: the Change Password page does not require an authenticated session; the user ID can be passed through the URL as a UUID. But this is not a breach of security, because the user must still provide login credentials on this page. This was an easy way to solve the problem of locking out new-but-not-password-changed users from all parts of the application. I just added Change Password to my list of exceptions for which actions require login. And I did a whole bunch of other stuff to make things nice and bulletproof. But I'm not telling you what they are!
No comments:
Post a Comment