I know this is an old one to be asking about, but I am trying to figure out a way, through my python login script, to set the CookieCrumbler cookie(s) that are automatically sent to the user upon successful login and visiting a restricted URL.
My goal is to allow my python script to call a zsql method and redirect the user based on their account_type (a column in my db). I have this all working right now, but across two different python scripts. The first logs in the user and redirects to the second script which makes the call to the zsql method and redirects the user accordingly. I would love to be able to do this all in one script, but if the cookies aren't sent the username of that user isn't stored in a cookie and thus cannot be accessed by the zsql method.
I know how to expire the cookies upon logout, but when I change it to setCookie it wants me to define the entire cookie, which of course I need CookieCrumbler to do.
One of my thoughts was to somehow get python to invisibly hit a secure URL and deliver the cookies to the user's browser, sleep for 2 seconds to ensure they got through, and then proceed to the sql stuff.
Another option is what I already mentioned, which is to get CookieCrumbler to send the cookies to the user's browser directly instead of having to try and access a secure URL.
Here's the code I have now:
import time
request = container.REQUEST
response = request.response
context.REQUEST.RESPONSE.setCookie('__ac', path='/')
context.REQUEST.RESPONSE.setCookie('__ac_name', path='/')
time.sleep(3)
for user in context.account_data_select():
if user.account_type == 12 :
response.redirect("https://secure.mydomain.com/secure/blah")
else:
response.redirect("https://secure.mydomain.com/secure")
Of course this doesn't work because setCookie requires 3 variables (name, value, options). I do not want to set these manually. I want CookieCrumbler to do its thing and provide the appropriate cookies to the user's browser.
Btw, I am using Zope 2.13.29 and am not using Plone. Just the standard old Zope with Python 2.7.2
Related
First of all, I googled this question but found some generic explanations which didn't provide me with good understanding how to do things.
Second - I'm a valid system user (not admin) and have access to the data. I.e. I have valid user credentials and may download file manually but for small automation I would like to have it downloaded by python script from my PC.
The download itself is simple, the only thing - I need to provide a valid session id cookie with request. I.e. finally I need to get this cookie by easiest way.
If my understaning is right in terms of SAML I'm a User Agent and want to download a file from Sevice Provider which need to authenticate me with Identity Provider (Microsoft). Usually I do it via browser and now I'm able to emulate it with help of PySide6 (QWebEngineView). I load target URL first in QWebEngineView. Actually it is a small embedded web-browser, it redirects me to login.microsoft.com, asks credentials and then redirects me back to Service Provider site and sets session id cookie. Then I'm able to use this cookie with my requests. It works but I would like to get rid of GUI (PySide) if possible.
I decided to replicate a flow that browser does and failed almost at the begining. What happens:
I'm requesting a file from my Service Provider side with usual get request.
Service provider replies with HTML page (instead of target file) as I'm not authenticated.
This HTML page contains Java script triggered by onPageLoad event - this java script simply redirects browswer to login.microsoft.com (long URL with some parameters).
Next request with this long URL for login.microsoft.com ends with "302 Moved Temporarily" with the same URL in "Location" header. And when I go with this URL it again gives me 302 with the same URL.
With the same scenario browswer gets only two redirections and finally receives an URL of web page with login/password request from microsoft.com.
I understand that I should put some more headers/cookies when I go again with URL provided in "Location" header of 302 response. But... I have no idea what login.microsoft.com expects here.
So my question is - is there any source where this message flow is described? Or maybe someone did it already and may give me advice how to proceed?
I found some SAML-related libraries for python but I see there quite complex configuration with x509 certificates and more stuff - it looks like they are more targeted for implementation on Service Provider side, not for external login.
I'm writing a bunch of automated tests using selenium and one of the tests requires user authentication. After entering user's credentials (email and password) I need to wait for the process of authentication to complete. So basically it boils down to waiting for the server to respond with an Auth cookie.
But how do I get it?
I tried searching on the Internet but didn't find anything that answers that question. If I do driver.get_cookies() it returns a whole bunch of them, which one of them should I use then?
driver.manage().getCookies();
will provide Set of cookies used or available at that instance. You have to cross check which cookie is responsible for what and use it.
As knows driver.manage().addCookie(arg0) is used to add required cookies, if you what get required cookies then driver.manage().getCookieNamed(arg0)
Once a user logs for a first time in my application he has to do some selections. I do it by redirecting him to the 'configuration page'. These selections are crucial for whole webpage existence so the application shouldn't do anything before submitting them.
I want to make a request listener that would check whether user has those selections set and if not, it will redirect him to the proper page.
I have done it using:
#subscriber(NewRequest)
def has_preferences_set(event):
request = event.request
user = request.user
if not user.preferences:
raise HTTPFound(location=request.route_url('set_my_preferences'))
However I have few problems in it. First, is that this event is actually called 6 times on a single request (what is more, none of them are for actual request, 2 are for static files, 4 are for pyramid_toolbar). The second is that after redirecting I get this error:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete
Take a look into todopyramid. It redirects new and existing users with invalid preferences to an account page to set up their user preferences. At every subsequent login valid user preferences will be ensured again.
todopyramid
redirects new users to an account page
updates user preferences within account view
ensures at every login that user preferences are in a valid state
encapsulates validation logic for user preferences in user model
You might customize validation logic to your needs. todopyramid is working well and encapsulates the concept you need into common models and views. No magic event handlers required.
todopyramid even has a
Demo page
Regarding the redirection fail, it's because you have in infinite redirection. When you load your route 'set_my_preferences', your event is triggered and will redirect again.
Regarding the 6 requests, it's true that all these requests, when in dev, are served by Pyramid. In production however, the static files will be (should be) served by the server in front (eg. nginx), and the toolbar won't be served.
Also note that it's heavy on the database to load user preferences in another table for each request. You should probably cache it or something if you really need it every request.
And it's a weird state you have here. Some users not having preferences and others having preferences. You should probably insert default preferences for all the users, and allow them to change those. You will avoid a lot of possible errors and also reduce the number of "if not user.preference" in your application.
The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:
i have table that does an ajax call to http://site/api/tasks/bob
i need to make sure that only bob, logged in, can read that table
(otherwise somebody who knows the pattern might request to see bob's
tasks by simply entering the url in the browser).
on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)
Thank you for your time reading this and maybe answering it.
The thousand-foot view is you need to authenticate the user either with:
A) HTTP-Auth (either basic or digest) on each request.
B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)
Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.
All
In django project if 2 template windows are opened and if logout is triggered in 1 window the other window cookies are not cleared.How to delete the cookies also so that the logout will be triggered.
def logout(request):
//request = redirect('webbie.home.views.loginpage')
//request.delete_cookie('user_location')
return auth_logout(request)
Thanks..
In the cookie you should only store a session key. The server then needs to keep track of all session keys and associate expire date/time and user-account with them. For every user that logs in they should be given a new session key, though you may allow multiple logins/user-account. So when you check if the cookie is valid you need to consult your sever DB and see if you have this session key and that it's valid. If you now want to "kill" all active sessions for a user-account when one of them logs out you just need to remove all session keys form your servers session key list.
You should try to not store sensitive data in cookies, a session key is enough and then have the server associate data to this key. Now you have control of the signed in users.
More Django session info on there documentation: http://docs.djangoproject.com/en/dev/topics/http/sessions/
What do you mean exactly? You mean if you have to windows open with the same website, and you log out in one window, you are not logged out in the other window? I doubt that.
Of course you are not redirected in the other window to a certain page because you haven't done anything in this specific window. But if you click a link that is only available for logged in users, you should be redirected to a login page.
And no, you cannot detect on client side if a user logged out from another site, at least not without Ajax and some custom checks.