This question has been asked HUNDREDs of times, and there are HUNDREDs of articles on how to do this, but ALL of them only speak of environment variables, which won't work in my scenario, since the code will be run on the user's device and not my server. So the user can just open the .env file or check the environment variables I add to his system and get my secret key. I want my key to be fully hidden, even on the user's own device. HOW to do this? Please help me!
My code is something like this:
client = Client()
client.login('username', '<hidden password>')
How to hide the hidden password?
It's technically impossible to hide anything from a sufficiently educated user on their own computer (malware being one notable exception). This problem needs to be solved on the server side. The only reason why you may want to hide the password from a user is that you don't want to allow certain operations to be executed using the client or any other means. If instead the user account is only restricted to the safe set of operations, it can't hurt if the user knows the password.
I made a Flask app using flask-login and flask-sqlalchemy.
When I run my app and login with the same user id in more then 2 devices or different browsers, It fails and renders Internal Server Error.
But I want to make this simultaneous. When somebody log in with the user credentials as the same of somebody current, I don't want anybody to logout or face an error but to share the same user.
How can I make this?
If this is impossible, I want to inform the first-logged-in-user(like "your session was terminated because another user logged in with users" or something). Any hints or examples?
The issue might lie within your custom login code. You can attach your code to the question or try using the code supplied in the documentation:
https://flask-login.readthedocs.io/en/latest/#login-example
I'm currently developing a site with Python + Django and making the login I started using the request.session[""] variables for the session the user was currently in, and i recently realized that when i do that it generates a cookie with the "sessionid" in it with a value every time the user logs in, something like this "c1cab412bc71e4xxxx1743344b3edbcc" and if I take that string and paste it in the cookie on other computer in other network and everything, i can have acces to the session without login in.
So what i'm asking here actually is if anyone can give me any tips of how can i add some security on my system or if i'm doing something wrong setting session variables?
Can anyone give me any suggestions please?
Sadly, there is no best way you can prevent this from what I know but you can send the owner of an account an email and set some type of 2fa.
There are a couple of things that can do to help improve the security on session cookies.
You can force a session to expire as soon as the user closes their browser.
In your settings.py file add:
SESSION_EXPIRE_AT_BROWSER_CLOSE=True
You can manually set the number of seconds until a session expires
Using the first argument(request) of any view:
request.session.set_expiry(value) # number of seconds or timedelta object
To address your specific issue, please consider that what you are describing is actually one of the primary features of session security cookies. They are convenience tools that enable users to use the secured parts of site without having to re-authenticate with every page request. Even the cross browser aspect of it is a feature since many apps and browsers provide a sync feature that allows you to share cookies and sessions datas with your mobile and other devices and other web browsers.
If you still feel that this is too significant of a security risk, then probably the safest approach would be to remove the SessionMiddleware
from MIDDLEWARE and django.contrib.sessions both in your settings.py
My question is about real time collaboration between users in a django powered web site.
In practice what I need to know is if it's possible to implement such a system:
1) Say that all users using the web site are user1, user2, ... userN
2) Each time one of the users do something interesting notify the server and other users in order to update
the application status and the browsers ui
3) The previous point can be extended to cover not only user-triggered events but also other more general events like timeouts, or "every 5 minutes" or what ever you can imagine.
I know that browser to server and server to browser communication can be done via ajax (or something newer like web-sockets or SSE), but the part that is obscure to me is how to
notify users when a certain events occurs.
The only (bad) idea that comes to mind is to store application data to database and update it when a user do something, and at the same time have all the users polling the application status from db. But I would know if there is a way to avoid the use
of database and the polling system, in other words something like:
when event e is triggered => send to all browsers "e triggered"
Thanks in advance
I'll try to better explain my question: I would like to know how to send a response to user "Frank" when another user "John" do something. The problem isn't how the server send something to a browser but how to link john’s activity (i.e. click button, change page, fill forms) to Frank’s ui without using a database. For example think about a simple chat page, when a user type something the typed text must be pushed to all other users: in this case I don't know how to link the action "John typed something" with the action "send typed text to Frank's browser". The memcache solution sound good, but I would like to know if there is something else like a pub-sub or event system that can be used to link different users' connections.
Implement a cache (i.e. memcache) to avoid hitting the database when the Ajax call checks for changes. If you want to get fancy, look into key-based cache expiration to handle the cache invalidation.
basically, I want to have a login box, and the option to remember the password next time you log in. I know there are encryption modules out there, but they require a password to work in the first place. is there a way to get the password the user used to log into the computer, and use that to encrypt the password for my application?
so in a nutshell, how do I store a password securely for later use.
I'm using python 3, and my program needs to be crossplatform.
Sounds like you need Keyring: https://pypi.python.org/pypi/keyring
There is no way out. If the application does not ask the user for a password, then it is not securely storing passwords, it's only doing... "things". In that case, don't give the user a false sense of security, use cleartext.
A notable exception is the GNOME login keyring (and equivalent on other platforms) not asking for a password, but it uses a trick: it encrypts data with your login password and decrypts them with the same when you enter it at startup.
If you are developing a web application with a local client, consider using OAuth instead of passwords.
You cannot get the password the user used to log in to the computer.
And, if you could, you would not want to store it.
In fact, the OS doesn't even have the user's password. The OS has a hash of it, and when the user logs in, it hashes what the user types and checks that it matches.
Also, if you ask the user to log in with their system password, any savvy user is going to immediately mistrust your app and refuse to use it. Make them create a password, and then login with that, not their system password. And don't save the password, save a hash, just like the OS does.
If you want to verify that they've been authenticated by the OS… well, you already know that, or they couldn't have logged in to run your app. (If you're building a network server that allows remote login based on local accounts, that's a different story, but it's not relevant to your use case, and complicated, so I won't get into it here.)
If you want to allow someone to "stay logged in", you don't do that by saving their password. Instead, you create some kind of hard-to-fake "session key" when they log in, and store that somewhere. They don't have to log in again until you destroy the session key (which you do when they log out).
The one exception to "never store passwords" is when you need to act as a "proxy" for the user to some other application that needs their password. A well-designed application will provide a way for you to proxy the login properly, but many applications are not well-designed. Web browsers have to do this all the time, which is why most web browsers have a "remember my password at this site" checkbox.
In this case, you do want to store passwords, ideally encrypted by the OS on your behalf (e.g., using OS X's Keychain APIs), or, if not, encrypted by you code using some key that's generated from the user's "master password" (which you don't store).
Unfortunately, there is no real shortcut to learning how to design for security—or, rather, there are all kinds of shortcuts, and taking any one of them means your entire system ends up insecure and all the work you put into trying to secure it ends up useless.
The easy solution is to use complete off-the-shelf solutions.
If you want to design things yourself, you need at least a basic grounding in all of the issues. Start with one of Bruce Scheneier's "pop" books, Secrets and Lies or Beyond Fear. Then read his Practical Cryptography on designing cryptosystems, and Applied Cryptography on evaluating crypto algorithms. Then, once you realize how much you don't know and how important it is, learn everything you need for your problem, and then you can think about solving it.