I'm building a Rust + Yew app rendered on the client side. After looking for some time in the docs, I couldn't found the proper way to handle cookies. Does anybody knows how to do it?
I want to set an auth token in the cookies.
Have a look at wasm-cookies if you just want to handle cookies on the client side. The library comes with its pitfals but after struggling a bit in the beginning I think it is ok to use.
I personally find that gloo-storage provides a much more intuitive way to handle user information on the client side if that is whay you are aiming for and if you are ok with using local/session storage and not cookie storage (which come all with its drawbacks and benefits).
If you want to use cookies to handle user sessions, authentication, etc. and if you use actix for your backend I found actix-session to be easy to use. They provide a copy-paste example which works out of the box and should give you a quick start with authentication.
Related
I am fairly new in web development and I decided to handle a user's availability to send a POST request to server. However, I do not know even whether it is possible or not but when a user close my Django site without using logout button (For example close the browser or tab), in order to understand the user is offline or online, I want to send a request to server. As a result, when the server does not get an answer from the user for a while, it automatically logout the user.
Can you tell me is it a good way to handle a user's availability and first of all is it a realistic solution? If it is, can you suggest me a document or example that helps me please.
I agree to to the answer of #Mounir. That's not related to django, if you want to know when a user is "disconnected"(close the tab or window) you need to use javascript, in concrete you need to use Sockets.
I recommend you this ones:
http://socket.io/
https://github.com/centrifugal/centrifugo
I'm using centrifugo for one project right now. In concrete, for chat and inbox messaging. It's very simple to make it run with Django.
Greetings
For logging out user you can use the Session expiration, but for all other staff you want to achieve I don't see any thin really related to Django itself, everything depend on your requirements and is more Browser/javascript related than Django.
I am creating a application using loopback.i am facing a problem to manage session.When apps login, session is created. when i reload the page session is not present on client side but it is on server side. Please tell me how to manage session on client side. And how to send response from server to client. Sorry for english but I am trouble.
Please tell me about it.
Thanks in advance.
You can inject $sessionStorage in angular and use it to preserve the session information that you get back from loopback.
But I believe that loopback already has the ability to store the access token in the browser's localStorage, so it is preserved across page reloads and browser (hybrid mobile app) restarts. So I'm not sure why it gets lost for you ... or maybe that's not what you mean by "page session"? Feel free to clarify.
You can see an example of logging in and then saving the user info to browser here: https://github.com/ShoppinPal/warehouse/blob/f03abc632ac01682e938e58db868290fb6e33083/client/app/scripts/controllers/login.js#L35-L42
If you ever find yourself in a similar situation again, try searching for code on github.com as there is some chance that you might find what you're looking for in an open-source project.
For example, you can get decent hints if you searched for user model sessionStorage path:/client/app where user model sessionStorage are keywords to look for and path:/client/app represents (more or less) the standardized directory structure for loopback (path:/client/js is another common path to try) ... it is generally worth limiting your search with it ... this helps narrow down thousands of search results into double digits. I do admit however that it doesn't always work because if you didn't know to look for the sessionStorage keyword then the search would have been quite fruitless ;)
I am writing this question after considerable investigation into this matter.
I have gone through Google's easy dashboards (gadash JS library), superProxy and plain analytics API, and couldn't find the best solution for my needs, although I can't believe my needs are so uncommon.
This is why I am turning to you, I have got a feeling I am missing something.
My requirement:
Display my own analytics account data to users on my website, preferably with Google's chart API or ga-dash, to resemble google analytics views as much as possible.
Users will not have to take part in authentication with Google API
Each user has his own query which is built dynamically !! (this is probably why superProxy cannot work for me because I think you need to manually set the queries in advance)
I use django-python as the basis for my website
problems with solutions I tried:
GAdash library - the problem is that each user has to be authenticated, and shown their own data, meaning they need access to my profile- that's simply not what I am looking for. It works great, but only for me. On the other hand if there was a way to make my profile truly public...
superProxy - sounds like a solution for this need exactly, however I don't think that you can programmatically set the queries.
I did find a way to retrieve the data for a query on the server side using my own credential which is a bit hacky, I am still missing that JS library which will parse this XML on the client side and display it as charts.
EDIT:
I ended up using Mark's solution (embeddedanalytics), since I could not find a better, easier solution.
Other alternatives were:
1. superProxy (lacking the ability to dynamically, programmatically loading new queries)
2. gaDash library - requires authentication from each user
3. Implement my own server side querying, and display to the user with some js graphics library - which would require considerable work on my side.
Check out www.embeddedanalytics.com. This is a platform/service which will do exactly what you are looking to do (disclosure - I work with them).
We also support your requirement that each user have its own dynamically built query. This is what we call our CMS Integration version. Are you trying to create a dashboard system for a CMS system you have built?
I'm trying to write a simple GUI application using Qt framework.
The purpose of this app is to retrieve data from my isp and parse them for presentation.
How do i authenticate my user/password with the webserver and retrieve the html page in question?
Are there any utility libs that make this task trivial?
I figure i need to interact with the server php script and simulate a form input somehow.
Am i on the right track?
You're on the right track, I suggest taking a look at curl.
That should make it alot easier.
edit: Hm, thought it did more than just file-transfer.
Otherwise here's a load more of interesting lib's
The way to authenticate depends completely on the authentication method used by the server. If it's some form to log in you need to retrieve that and send the correct data to the forms action target (usually as POST request). You could do this by constructing your request using QHttpRequestHeader and then simply sending it to the server. If you even know about the form you might even not need to retrieve the login page. If the website uses HTTP authentication you should be able using QAuthenticator.
I've got a webservice which is executed through javascript (jquery) to retrieve data from the database. I would like to make sure that only my web pages can execute those web methods (ie I don't want people to execute those web methods directly - they could find out the url by looking at the source code of the javascript for example).
What I'm planning to do is add a 'Key' parameter to all the webmethods. The key will be stored in the web pages in a hidden field and the value will be set dynamically by the web server when the web page is requested. The key value will only be valid for, say, 5 minutes. This way, when a webmethod needs to be executed, javascript will pass the key to the webmethod and the webmethod will check that the key is valid before doing whatever it needs to do.
If someone wants to execute the webmethods directly, they won't have the key which will make them unable to execute them.
What's your views on this? Is there a better solution? Do you forsee any problems with my solution?
MORE INFO: for what I'm doing, the visitors are not logged in so I can't use a session. I understand that if someone really wants to break this, they can parse the html code and get the value of the hidden field but they would have to do this regularly as the key will change every x minutes... which is of course possible but hopefully will be a pain for them.
EDIT: what I'm doing is a web application (as opposed to a web site). The data is retrieved through web methods (+jquery). I would like to prevent anyone from building their own web application using my data (which they could if they can execute the web methods). Obviously it would be a risk for them as I could change the web methods at any time.
I will probably just go for the referrer option. It's not perfect but it's easy to implement. I don't want to spend too much time on this as some of you said if someone really wants to break it, they'll find a solution anyway.
Thanks.
Well, there's nothing technical wrong with it, but your assumption that "they won't have the key which will make them unable to execute them" is incorrect, and thus the security of the whole thing is flawed.
It's very trivial to retrieve the value of a hidden field and use it to execute the method.
I'll save you a lot of time and frustration: If the user's browser can execute the method, a determined user can. You're not going to be able to stop that.
With that said, any more information on why you're attempting to do this? What's the context? Perhaps there's something else that would accomplish your goal here that we could suggest if we knew more :)
EDIT: Not a whole lot more info there, but I'll run with it. Your solution isn't really going to increase the security at all and is going to create a headache for you in maintenance and bugs. It will also create a headache for your users in that they would then have an 'invisible' time limit in which to perform actions on pages. With what you've told us so far, I'd say you're better off just doing nothing.
What kind of methods are you trying to protect here? Why are you trying to protect them?
ND
MORE INFO: for what I'm doing, the visitors are not logged in so I can't use a session.
If you are sending a client a key that they will send back every time they want to use a service, you are in effect creating a session. The key you are passing back and forth is functionally no different than a cookie (expect that it will be passed back only on certain requests.) Might as well just save the trouble and set a temporary cookie that will expire in 5 minutes. Add a little server side check for expired cookies and you'll have probably the best you can get.
You may already have such a key, if you're using a language or framework that sets a session id. Send that with the Ajax call. (Note that such a session lasts a bit longer than five minutes, but note also it's what you're using to keep state for the users regular HTPP gets and posts.)
What's to stop someone requesting a webpage, parsing the results to pull out the key and then calling the webservice with that?
You could check the referrer header to check the call is coming from one of your pages, but that is also easy to spoof.
The only way I can see to solve this is to require authentication. If your webpages that call the webservice require the user to be logged in then you can check the that they're logged in when they call the webservice. This doesn't stop other pages from using your webservice, but it does let you track usage more and with some rate limiting you should be able to prevent abuse of your service.
If you really don't want to risk your webservice being abused then don't make it public. That's the only failsafe solution.
Let's say that you generate a key valid from 12.00 to 12.05. At 12.04 i open the page, read it with calm, and at 12.06 i trigger action which use your web service. I'll be blocked from doing so even i'm a legit visitor.
I would suggest to restrain access to web services by http referrer (allow only those from your domain and null referrers) and/or require user authentication for calling methods.