So I'm working on a django project, and one of the objectives is to allow a separate python script to make a HTTP request (using Requests library) to get json data after being authenticated. This works fine, the problem is that if I directly go the url the request.get object uses, I can see all of the data (without any user authentication being involved). This makes my authentication process pointless, as the data is easily visible by simply going to the url. So how would I hide the data on the web side from being viewed, but still allow a GET request to pull the data to my script?
On a side note, I already have a authentication system for the web interface portion of my project (which displays the data). I've tried putting it behind that but to no success.
import json, requests, _mysql
login_attempt = requests.post('http://127.0.0.1:8000/m_app/data_login/',
{'username': 'test', 'password': 'password1234'})
if login_attempt.content.decode('UTF-8') == 'Successful':
print('Logged in.')
else:
print('Not logged in.')
cookies = dict(sessionid=login_attempt.cookies.get('sessionid'))
data = requests.get('http://127.0.0.1:8000/m_app/load/data', #if I type this URL in, I see the data
cookies=cookies)
print(data.content) #prints desired data
By default all your views in django are public, but it's easy to make them protected by checking request.user or using a login_required decorator.
Related
I was trying to put
session['logged_in'] = True
in the session, but in another blueprint it doesn't persist... Why is that?
Is there any better way to keep something in the session?
Extended:
I have a blueprint giving a form to login. When done and submitted, it will set a session key like above. Then it redirects via
return redirect(url_for('admin.index'))
to admin page where If I call the key via
session.get('logged_in')
I get "None" Instead of the True or False one.
I think I understand your confusion now~
Your flask session won't store anything on the server.
the 'session' dict is filled by the cookies from the client request.
Again. that is:
client make login request to server, and got a [login success] response as well as a [cookies] which contains the !!!sessionINFO!!! you think are stored on the server side.
Next time, you must send the whole cookies to the server again, then your session in the server may have data.
Browser will do this for you.
If you use a local client, say python requests library. Then be sure you are making requests with session (for requests-lib, it's requests.Session())
------------------OLD-------------------------------------
Though not an expert, but the case you described should not have happened.
The session is cookies data encrypted with a secret, if you have gone through the document mentioned by Beqa.
Just set
app.secret = '........'
And use session as a dict.
just FYI,
client request---->server (encrypt your_data 'logged_in' and client_relating_data 'maybe: ip, host or etc.', and put the encrypted info in cookies 'session=....') ------> client (get response with cookies)
client request again -----> server (decrypt the cookie 'session=...' with your secret), find the 'logged_in' data and know you are logged in.)
the cookies is something like below.
So, I'm not sure what's actually your trouble when using session, and put some basic information here. Just hope it helps in case.
I am working on a project in which i am working on a signup/login module. I have implemented the sessions in webapp2 python successfully. Now i want to implement the remember me feature on login. I am unable to find anything which can help me. I do know that i have to set the age of session. But i do not know how. Here is my session code.
def dispatch(self):
# Get a session store for this request.
self.session_store = sessions.get_store(request=self.request)
try:
# Dispatch the request.
webapp2.RequestHandler.dispatch(self)
finally:
# Save all sessions.
self.session_store.save_sessions(self.response)
#webapp2.cached_property
def session(self):
# Returns a session using the default cookie key.
return self.session_store.get_session()
Config:
config = {}
config['webapp2_extras.sessions'] = {
'secret_key': 'my-super-secret-key',
}
Kindly help me.
First in case you don't know the difference between sessions and cookies
What is a Cookie? A cookie is a small piece of text stored on a
user's computer by their browser. Common uses for cookies are
authentication, storing of site preferences, shopping cart items, and
server session identification.
Each time the users' web browser interacts with a web server it will
pass the cookie information to the web server. Only the cookies stored
by the browser that relate to the domain in the requested URL will be
sent to the server. This means that cookies that relate to
www.example.com will not be sent to www.exampledomain.com.
In essence, a cookie is a great way of linking one page to the next
for a user's interaction with a web site or web application.
.
What is a Session? A session can be defined as a server-side storage of
information that is desired to persist throughout the user's
interaction with the web site or web application.
Instead of storing large and constantly changing information via
cookies in the user's browser, only a unique identifier is stored on
the client side (called a "session id"). This session id is passed to
the web server every time the browser makes an HTTP request (ie a page
link or AJAX request). The web application pairs this session id with
it's internal database and retrieves the stored variables for use by
the requested page.
If you want to implement something like "remember me" you should use cookies because data stored in session isn't persistent.
For setting and getting cookies in webapp2:
response.headers.add_header('Set-Cookie', 'remember_me=%s' % some_hash)
request.cookies.get('remember_me', '')
I strongly recommend you to read this article that has explained this stuff thoroughly.
I wish to access information from this website using Python. But I cannot figure out how to post my log in information using urllib2
https://www.linksyssmartwifi.com/
Can anyone explain why it isn't working?
Edit - This question has been listed as too broad. I will be more specific.
When I try to use the following code, I can't seem to 'post' the user name and password to the webpage.
import urllib2
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm=' ??? ',
uri=' ??? ',
user='USERNAME',
passwd='PASSWORD')
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
urllib2.urlopen('EXAMPLELINK')
I am assuming this is because there is no string in the url containing the data and/or there is no api on this page that allows for posts. I don't understand WHY it is not working, I don't actually have any error code. If I print the content I've received after urlopen I get the html code of a page, but without having it logged in.
But my understanding here may be incorrect.
I actually would like to find out information about how many people are logged in to my home network, using a remote connection. I'm assuming this is the only way. I would like to automate some stuff based on who is logged into my local network, the information is available on this page after I log in.
I would preferably like to use Python or Bash scripting to do this.
This site does not use basic http authentication so the HTTPBasicAuthHandler you made will not even be called. The site just posts the username and password using SSLv3. I checked it out with fiddler.
Also, you may need to create an ssl handler. I had problems with urllib with https and had to use the handler below.
import urllib2, ssl
sslv3_handler = urllib2.HTTPSHandler(context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))
opener = urllib2.build_opener(sslv3_handler)
This is more of a general newbie question:
How do desktop applications that hook up to a service typically verify users? How would I do this for a Django app? Would it be as simple as passing the credentials to a blank view that checks the username / password?
How is it typically passed?
Thanks
You can create a custom login view on the django side, as detailed here. Have it return a message based on the whether the username and password parameters (should probably be sent via a HTTP POST, preferably over SSL) were valid. On the desktop client, if the response is valid, it should get the value of the cookie that got sent along with the response, and it should keep that cookie with every HTTP request that is made for the rest of the session.
Not sure what you meant, but for example if you want to check user's credentials from desktop python application by some method in django app, you can use httplib module and send POST request and then check the response you get. Make something kind of:
>>> import urllib
>>> params = urllib.urlencode({'spam': 1, 'eggs': 2, 'bacon': 0})
>>> f = urllib.urlopen("http://www.musi-cal.com/cgi-bin/query", params)
>>> print f.read()
(Example taken from Python docs)
I would like to know, when is the right moment and how to check the browser cookies support.
I understand I have to check the next request and for instance, with beaker, looking for the session key _creation_time or request.headers['Cookie']... and raise an exception if not found but I don't want to do that or something similar for every request. Some parts of my application don't require cookies, like the home page or info, faq page...
When a user logs out, the session gets deleted or invalidated and I used to redirect to the home view, if I check the session key at that moment, I'll not find it but it doesn't mean there is this issue.
An example I used at the beginning of login view:
try: request.headers['Cookie']
except KeyError:
return HTTPFound(location=request.route_url('home'))
Please also note that if I try to print an error message using request.session.flash(msg, 'error') or use the snippet again at the beginning of the home view and render a message with the template using a control return variable, after logout it will be erroneous displayed.
I am looking for the most elegant way to resolve issue...maybe subscribe to a event?...write down a function to call in some interested view?
There are a few things that could the cause of your problems.
Before I continue... FYI Pyramid uses WebOb to handle request and response objects
WebOb Overview
WebOb Class Documentation
Scenario 1
If you call set_cookie under Pyramid , and then do a redirect, the set_cookie will not be sent. This is because redirects create a new response object.
There are a few ways around this:
The most straightforward is to just copy response headers into the cookie when you raise/return a redirect
return HTTPfound( "/path/to/redirect", headers=[ (k,v) for (k,v)\
in self.request.response.headers.iteritems() if k == 'Set-Cookie'] )
OR
resp = HTTPFound(location='/path/to/redirect')
return self.request.response.merge_cookies(resp)
I should also note that MOST browsers accept cookies on redirects, however Safari does not.
another way is to use pyramid's hooks to convert cookies behind the scenes. i wrote subscribers that automate this. they're on pypi and github. https://github.com/jvanasco/pyramid_subscribers_cookiexfer
Scenario 2
There are two ways of handling sessions in Pyramid. Pyramid has its own session library, and then there is Beaker, which handled sessions for Pylons and has Pyramid support that many people use. I can't speak of pyramid.session, but Beaker has two modes to kill the session:
delete()
Delete the cookie, and clear the session
invalidate()
Clear the contents and start a new session
If you call invalidate(), the Beaker session cookie stays the same and all the session data is cleared -- so you can start storing new data into an empty session object.
If you call delete(), the cookie gets killed as does the session data. If you put new information into the session, IIRC, it will go into a new sessionid / cookie . However, as I noted in the first part above, set_cookie will get called but then thrown out during the redirect. So if you delete() the session and then don't migrate the set_cookie headers... the client will never receive a session identifier.
Some example behaviors of cookies under pyramid
Behavior of redirect
User visits site and is given cookie: SessionId=1
User clicks login
App saves login status to session "1"
App calls set_cookie with "LoggedIn=1"
App calls redirect to /home
Redirect sent, no cookies
User lands on /home
App only sees cookie for "SessionId=1"
Behavior of delete with redirect:
User clicks logout
App calls 'delete()' on session, killing the datastore and placing a set_cookie in request.response to expire the old cookie. if a new sessionid is created, that is sent as well.
If app renders a response, then client receives cookies
If app redirects, client does not receive headers to expire the cookie or set up a new one
Behavior of invalidate with redirect:
User clicks logout
App calls 'invalidate()' on session, killing the datastore
App sets a custom "loggedout=0" cookie
If app renders a response, then client receives cookies
If app redirects:
Client does not receive "loggedout=0" header
Client still has the old session cookie, but it was invalidated/purged on the backend, so they are effectively locked out.
side note: I personally don't like using the request.headers interface -- which handles all headers -- to get at cookies. I've had better luck with request.cookies -- which returns a dictionary of cookies.