Authentication how to
alexan...@gmail.com
I'm getting into an issue I can not get througt.
With authentication, I want like im my bank pages, that when I open a
new tab in the browser, and type the main url to be asked again for a
password, to be logged in as two(many) different users.
It seems that the presence of a cookie defines that a user has logged
in
How can that be done?
arjuna
After some research I have a very satisfactory authentication system going. And also am developing a whole bunch of custom functionality. What i learned a little late in life though, is cherrypy is beautiful and powerful, because it is low level. It gives you the freedom to do what you want. So you can do whatever you can imagine. Howeuver with freedom comes responsibility. This means that you have to write your own foundation code. So for loggin in multiple users you will just have to figure out how that might work conceptually and then execute it using sessions, cookies and all the other magic tricks!
Hi I'm completely new to cherrypy, and very happy with initial tests.
I'm getting into an issue I can not get througt.
With authentication, I want like im my bank pages, that when I open al
new tab in the browser, and type the main url to be asked again for a
password, to be logged in as two(many) different users.
It seems that the presence of a cookie defines that a user has logged
in
How can that be done?
alexan...@gmail.com
code or some info to read.
Best regards
Alexandre Rua
arjuna
Ok here is the code that I am using got it from the passwordprotected pages recipie on the cherrypy website:
Any page that needs password protection is protected as below: The code relies on the python decorator contruct. You would have to modify it to suit your need for multiple logins (i dont clearly understand what you are trying to do) This is a straight login solution.
@cherrypy.expose
@needsLogin
def private(self, *args, **kwargs):
The definition of the needsLogin decorator is:
def needsLogin(fn):
def _loginWrapper(*args, **kwargs):
if 'userid' in cherrypy.session:
# User is logged in
if 'logout' in kwargs:
# This turns out to be a request to logout.
del cherrypy.session['userid']
raise cherrypy.HTTPRedirect('/')
# allow access to the protected page
return fn(*args, **kwargs)
# The user is not logged in, see if this call is a request to login
submit = kwargs.get('login')
username = kwargs.get('loginEmail')
password = kwargs.get('loginPassword')
if submit or username or password:# If this is false then the user is not trying to log in but trying to go to a private page directly
userid = getUserId(username,password)
if userid is not None: #If this fails means the login was tried but unsuccessful
# login successful, allow access to the protected page
cherrypy.session['userid'] = userid
return fn(*args, **kwargs)
# Return the to the index/login page.It comes here if the user is trying to go directly to
# a private page or if the login failes
raise cherrypy.HTTPRedirect('/')
return _loginWrapper
pko...@gmail.com
> Hi Alexander,
>
> Ok here is the code that I am using got it from the passwordprotected pages
> recipie on the cherrypy website:
>
> Any page that needs password protection is protected as below: The code
> relies on the python decorator contruct. You would have to modify it to suit
> your need for multiple logins (i dont clearly understand what you are trying
> to do) This is a straight login solution.
>
> @cherrypy.expose
> @needsLogin
> def private(self, *args, **kwargs):
>
>
> The definition of the needsLogin decorator is:
>
> def needsLogin(fn):
> def _loginWrapper(*args, **kwargs):
> if 'userid' in cherrypy.session:
> # User is logged in
> if 'logout' in kwargs:
> # This turns out to be a request to logout.
> del cherrypy.session['userid']
> raise cherrypy.HTTPRedirect('/')
>
> # allow access to the protected page
> return fn(*args, **kwargs)
This looks dangerous. All the client has to do is send a cookie with a
'userid' key and some random value. Thats pretty easy with firefox and
the ModifyHeaders extension. All the attacker needs to know is the name
of your session key which happens to be 'userid'.
To make this secure you need to generate a value for 'userid' (commonly
a md5/sha hash), store it somewhere and compare the values for each
request. Please tell me I'm wrong ;)
cheers
Paul
Jason Earl
Actually CherryPy's built in session stuff that Arjuna is using doesn't
work that way. The cookie that is created will be something like:
Cookie: session_id=943618a394b5a06dc90c92cb61ddcdb47ddf65b4
cherrypy.session is just a simple way to store information that you want
to associate with that session. Now, it is true that an end user can
hijack a session if they get the session_id value. So you'd want to
make sure that you forced everything over SSL if you really needed it to
be secure.
Jason
pko...@gmail.com
pages and I can do that by just sticking a 'userid' key in my Cookie:
header line. I wouldn't call that protection.
cheers
Paul
Jason Earl
Did you actually *try* that. It certainly doesn't work for me.
cherrypy.session['userid'] = 'jason'
Doesn't create a cookie named 'userid' with the value set to 'jason'.
It takes a session object that corresponds to the cookie
session_id=<some hash> and puts information in it that can be retrieved
later. This information is not saved in the cookie on the client
machine, but instead is save on the server (in memory by default, but it
can be saved elsewhere).
In other words, it does what you probably want it to do.
Logging in isn't as easy as setting a userid cookie. Instead you would
have to guess the session_id hash of someone that is logged in.
Jason
pko...@gmail.com
>> Ok, but I don't want to hijack a session, I want access to the protected
>> pages and I can do that by just sticking a 'userid' key in my Cookie:
>> header line. I wouldn't call that protection.
>>
>>
>> cheers
>> Paul
>
> Did you actually *try* that. It certainly doesn't work for me.
Now I did. Of course you are right, the "session object" is server-side
and the session_id Cookie is just to link the "browser session" to the
correct "session object". Thanks for poking me.
cheers
Paul
Jason Earl
Thanks for explaining the whole thing with the correct terminology.
Part of the reason that I try to help (when I can) is that I invariably
learn something.
Jason
alexan...@gmail.com
I have figured out that a cookie is sent back and forth between client
browser and server that acts like a key for a session object in the
server.
That´s precisely my first question how can I get to connect to a
cherrypy server within the same browser with 2 or more users.
Imagine my home url is www.ina.pt, it displays some info + login form,
I enter as "user1", I open a new tab in in the browser and hit again
"www.ina.pt", would it be possible do get to login again as a neu user
and get a new session_id cookie, and so on...
Alex
Tim Roberts
> I have figured out that a cookie is sent back and forth between client
> browser and server that acts like a key for a session object in the
> server.
> cherrypy server within the same browser with 2 or more users.
> Imagine my home url is www.ina.pt, it displays some info + login form,
> I enter as "user1", I open a new tab in in the browser and hit again
> "www.ina.pt", would it be possible do get to login again as a neu user
> and get a new session_id cookie, and so on...
>
Not with a new tab, but you can do it with a new window. Session
cookies are sent without an expiration time, which makes them live in
the memory of the browser instance, so that they expire when the browser
exits. Most of today's browsers run a new instance for each new window,
and each instance has its own local cookie set. Multiple tabs run in
the same instance, so they share a single cookie set.
If you send a cookie with an expiration time in the future, that gets
stored in a cache, and thus should be inherited by other instances.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.