i have two flask application which using flask_login to authentication the website.
These two app have deploy on separate VM and using the same public ip but different port, for example.
------------------------------------------
APP NO. PUBLIC IP
------------------------------------------
flask_app1 202.102.222.153:80
flask_app2 202.102.222.153:4000
Problem
When i login to the website flask_app1 with some user then i access to the website flask_app2(on the same browser), the flask_app2 it redirect to the main page without do any login and when i check the login Cookies session it have the same session value with flask_app1.
So why these two website can use the same login session and how can i fix that
PS. The user that used to authentication these 2 website also have the same db id.
Related
I managed to setup windows authentication for my flask application with IIS 8.5. (Flask app runs frontend angular and also the api's needed by it). Everything works fine when i access the machine using the ip address and the port ie. the browser asks for a username and password prompt and api's work fine after authentication. But when I use the computersname.domain to access the page, there is no authentication and I'm automatically redirected(which I understand is auto-login because the requesting machine and the server are in the same domain).
The main problem is that when I use IP address to access the api's I was able to capture the username of the logged-on user using the flask variable request.environ['REMOTE_USER']. But when the computername and domain is used, I am not able to capture the username. How do I capture it?
I'm using Django and I have the following case.
My main website on dummy.com has the normal login form from Django.
The Django application is providing an API.
I have a Single Page Application on another server with the domain auth.dummy.com
My SPA is using JWT to authenticate the user so he can be logged in into the page auth.dummy.com by using the API provided by dummy.com
How can I archive it that the user who logs in on the domain auth.dummy.com automatically gets logged in into the main website dummy.com?
But I always want to keep the default behaviour from Django so Users can log in into the site from the main domain as well and not only from auth.dummy.com
Is there a special name for this kind of authentication?
I'm confused by all this names: JWT, SSO, OAuth etc.
Have your SPA set the session cookie at the same time you store the JWT. Also make sure to use the same SESSION_COOKIE_DOMAIN on both sites.
Two Django applications(DRF) are running on two separate ports 8001 and 8000 with same host localhost. I am using memcached to store the sessions. Both the application share the sessions from the memcache. when i try to access pages using second application after logining in using first I am getting error :
"The request's session was deleted before the request completed. The user may have logged out in a concurrent request, for example."
I want to build a distributed apps where one app can be used for auth running on a separate docker, so other apps can share the session using memcached
Sessionmiddleware is able to populate the session object in the Request object, but after execution of below line of code in AuthenticationMiddleware
request.user = SimpleLazyObject(lambda: get_user(request))
The session._session dictionary elements got deleted.
In the above case you are running application on two different ports with the same database. If user1 logged in with port 8000 then a session will be created for him. And again user1 logged in with port 8001 then the existing session will be replaced/destroyed by the new session. Because browser treats localhost:8000 and localhost:8001 as two different domains.
To avoid it you can use nginx as a reverse proxy server with same ip 127.0.0.1 or domain localhost. Now, route the api requests to port 8001 and web requests to port 8000.
In above case the domain localhost remains same so django will not replace existing session. So, It will work.
Reference: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
To solve this issue we need to add the same secret key in the settings in both Django applications.
Django adds the user in the request body in authmiddleware. The user can be anonymous(unauthenticated) or authenticated user. The session is verified before adding the user in the request. This verification is done as follows.
session_hash_verified = session_hash and constant_time_compare(
session_hash,
user.get_session_auth_hash()
)
This user.get_session_auth_hash() function uses salted_hmac(key_salt, self.password).hexdigest() function for verification. salted_hmac function uses settings.SECRET_KEY for calculating the hash. If both applications secret keys are different then session hasj will not be varified.
scenario:
user logs in domain-A serving SPA (e.g Angular authenticating via
API to Django using DRF's session authentication backend (cookie
csrftoken, sessionid) in another tab user opens in domain-B
classic django admin and is automatically authenticated?
Is it possible?
I'm developing a Django application. I need to authenticate users using Facebook and get the user's friends list to invite them to my site. To do this my application has to be registered with Facebook to get the API key. In the process of doing so I'm struck with the list of settings.
"http://localhost/login" --> this is the login page in my application where I have the Facebook-connect button
I need Facebook to redirect the response to "http://localhost/result", where I have a view to parse the result.
Please let me know how to configure Facebook.
Facebook can't redirect the response to 'localhost', as that's obviously local to your machine, hence the name. Your app needs to be somewhere Facebook's servers can actually see it - ie on a public host somewhere.
In other words, you can't develop and test a Facebook app completely on your local machine, as you would with a normal Django app. You'll need to upload it to your host at regular intervals to see any changes.
Alternately, you can set up port forwarding on your firewall/router to allow Facebook to retrieve directly from your localhost. The instructions for doing this vary greatly between different firewall/router manufacturers. What you need to do is open external port 80 and forward it to port 80 (or whatever port you have your HTTP server listening on) on the host machine where your app is, find your public IP address, and then use them as your callback address as follows:
http://<your.ip.here>:80/login
This will allow you to test your FB or FB-Connect app on localhost.