All
In django project if 2 template windows are opened and if logout is triggered in 1 window the other window cookies are not cleared.How to delete the cookies also so that the logout will be triggered.
def logout(request):
//request = redirect('webbie.home.views.loginpage')
//request.delete_cookie('user_location')
return auth_logout(request)
Thanks..
In the cookie you should only store a session key. The server then needs to keep track of all session keys and associate expire date/time and user-account with them. For every user that logs in they should be given a new session key, though you may allow multiple logins/user-account. So when you check if the cookie is valid you need to consult your sever DB and see if you have this session key and that it's valid. If you now want to "kill" all active sessions for a user-account when one of them logs out you just need to remove all session keys form your servers session key list.
You should try to not store sensitive data in cookies, a session key is enough and then have the server associate data to this key. Now you have control of the signed in users.
More Django session info on there documentation: http://docs.djangoproject.com/en/dev/topics/http/sessions/
What do you mean exactly? You mean if you have to windows open with the same website, and you log out in one window, you are not logged out in the other window? I doubt that.
Of course you are not redirected in the other window to a certain page because you haven't done anything in this specific window. But if you click a link that is only available for logged in users, you should be redirected to a login page.
And no, you cannot detect on client side if a user logged out from another site, at least not without Ajax and some custom checks.
Related
I am makeing a blog with Django and there is one admin account associated with the program. However, whenever I log in to the admin account and when I open a new window and go to my site, the new instance of my site is logged into my admin account. Does dose anyone know how I can fix this?
This is happening because of session authentication. So if you log in once your session cookie will be valid throughout the browser instance until your session expires.
You can learn more about it here : HTTP session
you can either open new tab in incognito mode or in different browser or use token authentication mechanism
I know this is an old one to be asking about, but I am trying to figure out a way, through my python login script, to set the CookieCrumbler cookie(s) that are automatically sent to the user upon successful login and visiting a restricted URL.
My goal is to allow my python script to call a zsql method and redirect the user based on their account_type (a column in my db). I have this all working right now, but across two different python scripts. The first logs in the user and redirects to the second script which makes the call to the zsql method and redirects the user accordingly. I would love to be able to do this all in one script, but if the cookies aren't sent the username of that user isn't stored in a cookie and thus cannot be accessed by the zsql method.
I know how to expire the cookies upon logout, but when I change it to setCookie it wants me to define the entire cookie, which of course I need CookieCrumbler to do.
One of my thoughts was to somehow get python to invisibly hit a secure URL and deliver the cookies to the user's browser, sleep for 2 seconds to ensure they got through, and then proceed to the sql stuff.
Another option is what I already mentioned, which is to get CookieCrumbler to send the cookies to the user's browser directly instead of having to try and access a secure URL.
Here's the code I have now:
import time
request = container.REQUEST
response = request.response
context.REQUEST.RESPONSE.setCookie('__ac', path='/')
context.REQUEST.RESPONSE.setCookie('__ac_name', path='/')
time.sleep(3)
for user in context.account_data_select():
if user.account_type == 12 :
response.redirect("https://secure.mydomain.com/secure/blah")
else:
response.redirect("https://secure.mydomain.com/secure")
Of course this doesn't work because setCookie requires 3 variables (name, value, options). I do not want to set these manually. I want CookieCrumbler to do its thing and provide the appropriate cookies to the user's browser.
Btw, I am using Zope 2.13.29 and am not using Plone. Just the standard old Zope with Python 2.7.2
If for example I want to show a zero(0) for all users to see, and I want all users to add one(1) to the number With their Identity only shown for superusers. And how to make sure that each user only can add one time, and of course what is the Security requirements that have to be done to prevent unautohrized Access to change any of this or to get any information?
I understand this is a big topic, but could someone briefly explain for me what parts of Programming that are involved, and maybe some good books on these topics?
The web is stateless. This means that if a browser requests the same page twice, a traditional web server has no real way of knowing if it's the same user.
Enter sessions. Django has an authentication system which requires each user to log in. When the user is logged in they're given a session. A session is made of two parts; A cookie containing a randomly generated token, and a database entry with that same token.
When a user logs in, a new session token is generated and sent, via a cookie, back to the user which the browser stores. At the same time, that record is created in the database. Each time a browser makes a request to Django, it sends its session cookie along with the request and Django compares this to the tokens in the database. If the token exists, the user is considered to be logged in. If the token doesn't exist, the user isn't logged in.
In Django, there are User models which make it easy to check who the currently logged in user is for each request. They're doing all that token checking in the background for us on each and every request made by every user. Armed with this, we can associate other models via "foreign key" relationships to indicate who owns what.
Say you were making a blog where multiple users could write articles. If you wanted to build an editing feature you'd probably want to restrict users to only be allowed to edit their own articles and nobody else's. In this situation, you'd receive the request, find out who the current user was from it, compare that user to the "author" field on the blog Post model and see if that foreign key matches. If it matches, then the user making the current request is the owner and is allowed to edit.
This whole process is secured by the fact that the session tokens are randomly generated hashes, rather than simple ID numbers. A malicious attacker can't simply take the hash and increment the value to try and access adjacent accounts, they'd have to intercept another user's hash entirely. This can be further secured by using SSL certificates so that your connections go over https:// and all traffic is encrypted between the browser and your server.
How do I delete session when the browser is refreshed by the user? I do know, the following deletes the session key.
del request.session['session_key']
Edit:
I am trying to propagate user entered value across multiple forms in different views, and for that I am using session variable. However, when the user manually refreshed the page, I want to clear the session keys.
There is no way in Django (I can think of) to know if a page has been refreshed or just starting a new session, page etc. You could do something with the request and Javascript.
If after a page has finished loading you want to just remove all sessions dependant where you want this to happen, look at Signals or just removing the sessions after the request has finished in your view.
Re: deleting all sessions...
flush() Deletes the current session data from the session and deletes the session cookie. The user will remain logged in. https://docs.djangoproject.com/en/1.8/topics/http/sessions/#django.contrib.sessions.backends.base.SessionBase.flush
If you just want to delete each session key (and keep the user logged in) then do:
for key in request.session.keys():
del request.session[key]
This deletes each session in request.session.
Once a user logs for a first time in my application he has to do some selections. I do it by redirecting him to the 'configuration page'. These selections are crucial for whole webpage existence so the application shouldn't do anything before submitting them.
I want to make a request listener that would check whether user has those selections set and if not, it will redirect him to the proper page.
I have done it using:
#subscriber(NewRequest)
def has_preferences_set(event):
request = event.request
user = request.user
if not user.preferences:
raise HTTPFound(location=request.route_url('set_my_preferences'))
However I have few problems in it. First, is that this event is actually called 6 times on a single request (what is more, none of them are for actual request, 2 are for static files, 4 are for pyramid_toolbar). The second is that after redirecting I get this error:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete
Take a look into todopyramid. It redirects new and existing users with invalid preferences to an account page to set up their user preferences. At every subsequent login valid user preferences will be ensured again.
todopyramid
redirects new users to an account page
updates user preferences within account view
ensures at every login that user preferences are in a valid state
encapsulates validation logic for user preferences in user model
You might customize validation logic to your needs. todopyramid is working well and encapsulates the concept you need into common models and views. No magic event handlers required.
todopyramid even has a
Demo page
Regarding the redirection fail, it's because you have in infinite redirection. When you load your route 'set_my_preferences', your event is triggered and will redirect again.
Regarding the 6 requests, it's true that all these requests, when in dev, are served by Pyramid. In production however, the static files will be (should be) served by the server in front (eg. nginx), and the toolbar won't be served.
Also note that it's heavy on the database to load user preferences in another table for each request. You should probably cache it or something if you really need it every request.
And it's a weird state you have here. Some users not having preferences and others having preferences. You should probably insert default preferences for all the users, and allow them to change those. You will avoid a lot of possible errors and also reduce the number of "if not user.preference" in your application.