I'd like the users of my web application to not have to register a user account before they can vote. I've seen websites where I could freely vote up or down on what ever I want without having to register. How is this handled? How can I prevent the same person from voting infinite amounts of times?
I'm using Python and Django. I'm thinking of implementing facebook login, but I'd like to hear some of the experts' comments. I'll mark the most helpful answer as correct.
Don't rely on facebook login, as users without facebook will not be able to vote.
As there is no real way to be sure that an unregistered user will not vote twice (he can connect himself from another computer, or whatever), you have to define yourself what is the criteria you want to use to check his identity.
You have different ways to solve your problem, all of them rely on storing information about the user that voted. You can rely on ip address, or store information in session or in cookies to know if your users already voted or not.
I would create a session variable that will tell me whether they've voted or not. True, the user could clear their cookies and vote twice but that is an edge case. If you're letting them vote without registering I'm guessing the poll isn't too scientific.
Django has some good examples on their website about how to use sessions.
https://docs.djangoproject.com/en/dev/topics/http/sessions/#examples
This one in particular should be helpful to you. Instead of votes they're dealing with comments:
def post_comment(request, new_comment):
if request.session.get('has_commented', False):
return HttpResponse("You've already commented.")
c = comments.Comment(comment=new_comment)
c.save()
request.session['has_commented'] = True
return HttpResponse('Thanks for your comment!')
Related
I have to implement a function in my website where there can only be one login per account. So, if a user logs into one browser, the others will automatically be logged out. I am using Flask for backend. Is there any such implementation in Flask, and if not, what are some ways by which I can implement this?
I don't know of any implementation. The first thing that comes to my mind is to modify the user model. You could add a column for logged_in, which get's changed to True when the user is logged in and to False if the user logs out/ the session is dropped.
You would need to check this attribute when verifying the user login. For further specific help consider posting an MRE of your question.
Details
I have made my custom authentication process for the users, (no, i didn't use django's dedicated authentication), I almost finished it, but still having concerns on the most important part at the time.
so these are main parts of authentication process:
User sign's into the website via steam's social authentication.
My authentication system checks if database contains user's data, if not it will create a new user object with all the information.
System will create cookie as key logged with the value of True.
After these steps, there begins a problem, website should show users data when logged cookie's value is True.
Strategies and Questions
So as example, let's take stackoverflow, as i see: when it's login cookie is activated, it show's me my profile picture, and my score.
How did it know that i was that specific user?
via cookies:
If i tracked users data via cookies, i know that it would be a very bad idea since they are super-easy to change.
via ip address:
Then there's a second way, to track them with ip address, which i don't think is a good idea:
from .models import User, IPs
from django.http import HttpResponseRedirect, HttpResponse
import steamapi
def index(request, self):
ip = request.META['HTTP_X_FORWARDED_FOR']
for search in IPs.objects.all():
if str(ip) in str(search):
break
user = ip.strip(ip) # model will contain ip address with username. e.g ( user 127.0.0.1 ), so i strip the ip
else:
username = steamapi.user.SteamUser(self.steamid) # i get steamid from different function which is not important.
username = IPs(data=username + " " + ip)
username.save()
print request.COOKIES
if request.COOKIES.get('logged'):
return HttpResponse("User %s" + "is logged in" % username)
else:
response = HttpResponse("User is not logged in")
response.set_cookie('logged', True)
return response
via sessions:
I don't exactly know Django's sessions (except cookies), would it be good if i used django's cached sessions? if so how?
Note: i am looking for the code that will fit to my steps at beginning, so code example would be excellent.
First strategy is totally bad idea, i think second is not pythonic and is not a good strategy, Third however, is one i need a help with.
General Question:
So what would best strategy be for displaying specific users data on the website? As i mentioned simillar to stackoverflow's bar, where it displays my profile picture and score.
Writing your own auth system is a nice way to learn all the details of how it works, but you must be careful to not introduce security issues. The Django auth framework has been working for 10 years or so, so it can be trusted to do the right thing.
Bruno's answer is right: you should use sessions. Sessions work by setting a cookie with a random value on the user's computer. After that, the browser sends back that random value on each request, and the Django Session framework (a middleware, IIRC) matches the random string with a Session instance (dict like object) and puts it in the request instance.
If you're using a modern Django version and for any reason want to stick to using Cookies only, you can check out the new Cookie based sessions. Internally, it signs the cookie (meaning no-one else can tamper with it, even though it's stored on the user's computer).
The canonical solution is to use sessions. FWIW note that all of your problems are already solved in Django's contrib.auth app, taking care of a whole lot of known security issues.
I'm working with a Django application and my current goal is to keep track of the user session with cookies. I have a feeling that, as always, my understanding is a bit off with regards to how I do this.
For starters, I would like to manage how long it has been since a user has logged in, that way I can successfully log them out if they haven't visited a new page in "x" hours. I am not sure what exactly is standard (for a social network).
Is this information I store on my server? Do cookies actually have any relevancy here? I've used cookies before to store things like a user's timezone, but I am struggling to deal with how I keep track of the user.
All I currently have in terms of user back end is from the django.contrib.auth package.
The only thing I really know how to do in terms of "grabbing" the user's info is done by using statements like if request.user.is_authenticated(): (etc.).
I realize this is somewhat of a complex question, so I will try and narrow it down:
How do I extend my existing information about the current user to capture "last activity" so I can log him/her out if they haven't been using the site in a certain period of time?
Do I need to define a custom user model?
My next step after is to create a different type of user, so I feel like I need to make custom user models - beyond just extending the normal user form to make a profile etc.
Thanks for your understanding,
I know I can be confusing when I don't understand things.
Thanks for your time,
James
You can configure the session middleware for logging out the user automatically,
configure the SESSION_COOKIE_AGE, to some low value, and provide the SESSION_SAVE_EVERY_REQUEST, as True.
This will automatically logout the user after certain inactivity, without any need of extending the profile.
SESSION_COOKIE_AGE
Default: 1209600 (2 weeks, in seconds)
>> The age of session cookies, in seconds.
SESSION_SAVE_EVERY_REQUEST
Default: False
>> Whether to save the session data on every request.
If this is False (default), then the session data will only be saved if it has been modified – that is, if any of its dictionary values have been assigned or deleted.
And for creating custom/extending User Profile, Django 1.5, comes with configurable User model, please check the docs for examples.
I'm new to Django but am working on the tutorial on the Django website for creating a poll.
What is the best way to make it so guests (no registration / login) can only vote once on a poll?
IP (Don't want IP because people sharing a network can only vote once).
Cookie (User can delete the cookie but seems like the best approach).
Session (If the user closes the browser the session will change).
I'm guessing that Cookie would be the best approach but is there a better way for Django?
There is one solution independent on the server framework you use:
Evercookie gives you virtually irrevokable cookies. Use them, if you want that level of data persistence.
Evercookie is a solution for storing data in cookies and various other places (such as memory used by Flash "cookies", HTML5's LocalStorage etc.). If any of these places is cleared, next visit on the site will populate it with data again. The only thing you need is the data stored in any of 13 places used by Evercookie and next visit populates it again to the other 12 places.
It is pretty hard to get rid of such cookies, so please take into account, whether your users actually agree to be tracked that way. Some of them certainly would not agree.
If it is that important that people can only vote once, consider creating a basic registration / login system anyway. A guest can always use multiple computers to skew the voting while account registration at least allows you to track which e-mail addresses are being used to vote. It also takes a bit more effort to skew the voting that way. If it's important but not of life-saving importance then I would use the cookie approach for anonymous guests.
is there an easy way to configure the authentication system in Django like amazon
does it?
If you are going to login in your amazon-account and the you are going to close your browser, even after two days when you are going on the webpage again, amazon is greeting you with your name. When you are going to shop, you still need to retype your password.
Is it possible to do it this way in Djanogo? Do I have to do something special in the settings.py?
As far as I know, I just can log in or out, even when I am going to close the browser, I am logged in again without any asking of my password.
Thanks for help!
Craphunter
See the documentation on sessions, in particular the section titled Browser-length sessions vs. persistent sessions.
They explain precisely how to achieve what you're asking: request.session.set_expiry(...).
I think most likely what Amazon does is based on time and not on whether you close the browser or not. So most likely what you should do is store in the session, the last time you saw that user. If you saw them over an hour ago, then automatically log them out (use Middleware for this).
request.session['lastseen'] = datetime.datetime.now()
Now in your middlware just be careful in logging them out, as you still need to store their id or username in the session. This is still easy to do, just read here:
http://docs.djangoproject.com/en/dev/topics/auth/#how-to-log-a-user-out
So basically what you want to do is to logout a user, then after doing so, store their id or simply their username into the session so you can retrieve it later. Doing a logout will completely clear their session, so you need to make sure to add their id or username after performing the logout() command. Then wherever you want to retrieve that data you just pull it from the session variables.
logout(request.user)
request.session['userid'] = request.user.id
Then you now have three possibilities for a user: AnonymousUser w/out saved id, AnonymousUser w/ saved id, or Authenticated User.
This way even if someone isn't logged in, you still can get their id from the session.