here is an application case, my description is simplified.
here are 3 roles of a website: admin, moderator, and visitor
admin can control everything, moderator manages some part of the website, and visitors can post threads and read threads
the relationship of the users, roles and permissions are stored in the database in RBAC style
now admin want to downgrade a moderator to visitor, it's easy to manipulate the operation in the database.
but if the moderator is still online when this action is performed, there will be problem.
the admin and the moderator have two different session, and to accelerate the website speed, normally we put the roles and permissions in session, we don't query it every time when the user send request, so the admin's manipulation would not modify the session of the moderator. once the moderator session is not expired, the moderator still has the permissions.
so the essential requirement is how to manipulate one session by another session in the web service.
my website is based on python. Because RBAC is required, so I prefer flask more than django
django.auth module can control the access permission to each model, but what we want to control is the api/url not the model. Because rest_framework.authentication.TokenAuthentication based on django.auth, if we give up django.auth, we have to develop own token handler to defeat CSRF, but I don't want more work load.
so my question is: how to handle this situation? how to communicate or operation between different sessions in the web service, especially flask or django
if flask can resolve this problem, I'll feel better. or solution based on django is also ok.
If loading user from the database is slowing your application down, then I assume it is under heavy load and using a Redis server would speed things up. You can use it for:
Creating a data structure in Redis (for example: a hash) to store user information. Loading user from Redis is much faster. When your create/update a user in the database, you will have to modify the data in Redis, too. This way all user roles and permissions will be up-to-date.
Creating server side sessions with Flask-Session. All the session data is kept on the server and the user gets a key to access it. If you delete the key on the server the session is deleted and the user will have to login again.
But I think that loading user from the database is the best solution.
Related
If for example I want to show a zero(0) for all users to see, and I want all users to add one(1) to the number With their Identity only shown for superusers. And how to make sure that each user only can add one time, and of course what is the Security requirements that have to be done to prevent unautohrized Access to change any of this or to get any information?
I understand this is a big topic, but could someone briefly explain for me what parts of Programming that are involved, and maybe some good books on these topics?
The web is stateless. This means that if a browser requests the same page twice, a traditional web server has no real way of knowing if it's the same user.
Enter sessions. Django has an authentication system which requires each user to log in. When the user is logged in they're given a session. A session is made of two parts; A cookie containing a randomly generated token, and a database entry with that same token.
When a user logs in, a new session token is generated and sent, via a cookie, back to the user which the browser stores. At the same time, that record is created in the database. Each time a browser makes a request to Django, it sends its session cookie along with the request and Django compares this to the tokens in the database. If the token exists, the user is considered to be logged in. If the token doesn't exist, the user isn't logged in.
In Django, there are User models which make it easy to check who the currently logged in user is for each request. They're doing all that token checking in the background for us on each and every request made by every user. Armed with this, we can associate other models via "foreign key" relationships to indicate who owns what.
Say you were making a blog where multiple users could write articles. If you wanted to build an editing feature you'd probably want to restrict users to only be allowed to edit their own articles and nobody else's. In this situation, you'd receive the request, find out who the current user was from it, compare that user to the "author" field on the blog Post model and see if that foreign key matches. If it matches, then the user making the current request is the owner and is allowed to edit.
This whole process is secured by the fact that the session tokens are randomly generated hashes, rather than simple ID numbers. A malicious attacker can't simply take the hash and increment the value to try and access adjacent accounts, they'd have to intercept another user's hash entirely. This can be further secured by using SSL certificates so that your connections go over https:// and all traffic is encrypted between the browser and your server.
I have two web server (server1, server2) and multiple web application (20+) are running. Some app(10+) needs ldap authentication to get access. I wanted to implement 'single sign on' kind of stuff and maintain session with ldap authentication.
My proposal: Once user is logged in any of the application then maintain a unique key for each user in persistent key value store, with a timestamp, and lifetime.
timestamp-> when the user logged in.
lifetime-> who long the authentication should be valid.
What is the best way to implement this feature?
First thing came in my mind is persistent message queues. Any suggestion what is the best way to this and which persistent message queue to choose.
NOTE: I can run this session management in server1 or server2 and both may go down. (Language of choice : Any, Preferable python.)
Please comment if problem statement is not clear.
What you are looking for seems to be something like the redis backend session store.
there is a libary available for this solution in Django:
https://github.com/martinrusev/django-redis-sessions
and an official snipplet from Flask:
http://flask.pocoo.org/snippets/75/
If you run the redis session storage on a different server than your applications, your authentification system should still be functional in the case that one of your application servers goes down.
I'm working on a Django application with users through Django's auth, on the other side there is an Oauth2.0 server that already has all users and their permissions registered. My goal now is to integrate the Django app with the Oauth2.0 server so we won't have to administrate the users ourselves. This would make it so the when the users want to log into our app they are redirected to the Oauth2.0 login site and then redirected to the home of our app once they login successfully.
I think I understand how Oauth2.0 works but I have a couple of questions I couldn't find anywhere else.
Is the scenario I'm describing possible? As in the users would no longer have to be registered in our app and a 3rd party Auth server would provide access to our app or not.
Once I get the access token after the user login where is it safe to keep the access token? I was thinking I could save to AT as a session variable so as to keep the end user's session linked to his account which is external to our Django app.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
I would suggest using a third-party application, like django-allauth. You can simply disable creating local accounts, and enable a single custom social provider that interacts with your OAuth2.0 authorization server.
As noted here, the process of creating your own custom OAuth provider isn't documented, but shouldn't be too difficult.
Once I get the access token after the user login where is it safe to keep the access token?
Allauth will store the access token in the database. If you want to put it in the session too, you can, but there's no point unless you want the client to make requests to the resource server directly.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
That's fine. If your authorization server has no way to invalidate issued access tokens, though, you can just assume that the access token is good up until the expiration date.
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
Just use the access token normally. If the resource server indicates that it's invalid, prompt the user to log in again. You will get a new access token for that user that reflects their current permissions.
I'm currently developing a site with Python + Django and making the login I started using the request.session[""] variables for the session the user was currently in, and i recently realized that when i do that it generates a cookie with the "sessionid" in it with a value every time the user logs in, something like this "c1cab412bc71e4xxxx1743344b3edbcc" and if I take that string and paste it in the cookie on other computer in other network and everything, i can have acces to the session without login in.
So what i'm asking here actually is if anyone can give me any tips of how can i add some security on my system or if i'm doing something wrong setting session variables?
Can anyone give me any suggestions please?
Sadly, there is no best way you can prevent this from what I know but you can send the owner of an account an email and set some type of 2fa.
There are a couple of things that can do to help improve the security on session cookies.
You can force a session to expire as soon as the user closes their browser.
In your settings.py file add:
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
You can manually set the number of seconds until a session expires
Using the first argument(request) of any view:
request.session.set_expiry(value) # number of seconds or timedelta object
To address your specific issue, please consider that what you are describing is actually one of the primary features of session security cookies. They are convenience tools that enable users to use the secured parts of site without having to re-authenticate with every page request. Even the cross browser aspect of it is a feature since many apps and browsers provide a sync feature that allows you to share cookies and sessions datas with your mobile and other devices and other web browsers.
If you still feel that this is too significant of a security risk, then probably the safest approach would be to remove the SessionMiddleware
from MIDDLEWARE and django.contrib.sessions both in your settings.py
The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:
i have table that does an ajax call to http://site/api/tasks/bob
i need to make sure that only bob, logged in, can read that table
(otherwise somebody who knows the pattern might request to see bob's
tasks by simply entering the url in the browser).
on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)
Thank you for your time reading this and maybe answering it.
The thousand-foot view is you need to authenticate the user either with:
A) HTTP-Auth (either basic or digest) on each request.
B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)
Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.