Is possible to set protected cookie to Electron JS app? - cookies

I have an Electron application and I use a webview to login google to use some functions of a website. Each user can login with him account and will have his functions. When they login, a cookie has ben set to keep the session. But when I logout from this user and login with another in my application, the cookie continues set. I try to use store to save al user cookies but when I try to set them again I've seen that there are a protected Cookie called "__Host-GAPS".
As I read all cookies starting with "__Host" and "__Secure" are protected and only can be initialized without domain. But I need the domain, because the original cookie has it, and if I don't put it, I lose the session. When I put the domain I receive this error: "Failed to parse cookie".
I also tried to create a session from partition, but the cookies never saves on this new session, always on the default session.
I create a new BrowserWindow setting the partition session on webPreferences.
Can anyone helps me? Which is the best way to separate the cookies of each user? How can I restore protected cookies?
Thank you

Finally I found the solution. The best way to do this is to use partition in the webview. I use the next code:
<webview id="myWebview" style="height: 600px;" src="https://website.com" partition="getPartition()"></webview>
Where getPartition() function returns 'perist:' + userToken.

Related

Session and Auth in Nuclio. How to use it in proper way?

When i try to called:
Auth::getInstance()->authenticate($email,$password)
for authenticate in login controller, i called Auth::getInstance()->isAuthenticated() and get result bool(true). Then i go redirect to another page, Auth::getInstance()->isAuthenticated() give bool(false). After i use this authentication, how can i get the session is already bool(true) at any page after that until i'm Auth::getInstance()->unauthenticate() that session or make it global for the session? Currently i'm using session database.
Problem : How to authenticate the current user after redirect to another page?
Without knowing more about your code, I can predict a couple of possible sources of this type of behavior...
1) You're not writing the fact that the user is authenticated to your session/cookie, so the second page request isn't aware of the result of the first one.
2) If the authentication is successful on the first page (and you record this in the session/cookie), and the redirection happens, but you redirect back to a page already seen by the user (e.g. Homepage -> Login page -> Homepage) then your browser might be loading it out of it's local cache rather than fetching the new (authenticated) page from the server.
Try dumping your session variables to the browser to see if the authentication result is being preserved between requests, and try appending a timestamp on the redirection url or using headers to prevent client side caching. This will at least allow you to narrow down, or eliminate these two options.
The Auth plugin already manages all session control for authentication without any additional effort from the developer.
The problem you are facing could likely be because the session is not starting for some reason. This could be because Nuclio isn't detecting that it is being run from a browser. Nuclio detects this by checking REMOTE_HOST and HTTP_HOST values in $_SERVER. If both are null, it won't start the session (to avoid generating headers on a command line).
Also make sure that your base application class is extending the Nuclio Application plugin class and NOT overriding the __construct method without calling the parent construct method as this would cause all the initialization to fail and no session will be created/resumed.

Run method on session expire Django

I'm using session to store an object id and its description, this instance should be blocked to all other users while it is beign used in someone's session, and I would like to release the user object once he closes the browser, now I'm aware there is a configuration to expire sessions on browser close, I was just wandering if there is any entry point where I could add some custom code
What I'm trying to achieve is something like
def OnSessionExpire(???):
#release my objects
I've searched around but found no answer, can someone lay a help here? I'm using the backend session mode
Thank you !
Django doesn't do anything at all when the browser closes. Django doesn't even know - how can it: the only time Django knows anything about what you do in the browser is when you make a request to the server, but closing the browser is the opposite of making a request.
Session expiry on browser close is an attribute of the session cookie, not anything that Django does. It just means that the cookie is set with a flag that tells the browser not to persist it when it closes. The actual session data remains in Django's session store, and will do until you explicitly clear it, but is not accessible because the cookie has been removed.
So, the upshot of that is that there is no way to tell explicitly when a session ends. The only thing you can do is to send regular keepalive signals - eg via Ajax - while the session is open, and taken an action if you haven't seen any for a while.

How to secure local storage and clear it on browser close in ember-simple-auth?

I am using ember-simple-auth for authentication in my ember-cli application. It seems that ember-simple-auth is storing the session in local storage which doesn't seem to be secure.
I have following two questions:
I can see the session data and also able to modify it. How do I
secure this session data?
How do I clear this storage on browser close? My session and it's data are still active after I close and reopen the browser.
Thanks.
1) you cannot "secure" that data. You could encrypt it but that would be pointless as the encryption/decryption code would be open to the user as is all the other JS code of your app
2) if you don't want the session to be persisted you could either use the ephemeral store (in that case the session wouldn't survive a page reload though and you'd lose tab/window synchronization) or you could use the cookie based store which uses a session cookie by default that's deleted when the browser is closed.

handling username / password in cookie for login

Making a login script and I have the following cookies right now :
This is on every page, but expires on browser close.
session_name('Test_Login');
session_set_cookie_params(0, '/', '.test.com', false, false);
session_start();
This is stores the username if a successful login happens. When returning to the site it will fill out the username in the login form.
setcookie('Test_User', $_POST['username'], time()+365*24*60*60, '/', '.test.com', false, false);
This remembers the value of the 'remember me' option on the login form - true or false.
setcookie('Test_Remember', $_POST['rememberMe'], time()+365*24*60*60, '/', '.test.com', false, false);
This stores the user plain text password if they selected the remember me option above and lets them automatically login when visiting the site even after browser close within a day. If this and user cookie are present it checks if valid and creates the user session variables again.
setcookie('Test_Pass', $_POST['password'], time()+24*60*60, '/', '.test.com', false, false);
Other things to consider are if you log out the session pass cookie is destroyed.
My problems : I md5 and salt the user password for storage in the database. I actually never know the users pass. Problem is with the remember option I am storing their password in plain view in the cookie. What is the best way to store the pass in a cookie and it be useable in this fashion? What is the standard of doing so? Basically I just want this to act same as Facebook or any other login system. If you tell it to remember you it does - so how do they store the info to log back in without doing so in plain text in the cookie?
Is it best practice to have a separate cookie (4) for this? The session cookie makes sense, but is there not a more optimized way on my end to combine the other three?
You shouldn't store the password in a cookie it's not a good practice and can lead to security issues (somebody could "steal" the cookie for example and get the user password).
Instead, once the user has been correctly authenticated once, you could save the sessionId in a cookie and on next visit the sessionId will be passed to the server which will be able to retrieve the session. For additional security store the IP address too and check that it is the same when reopening the session. You could also make your server sessions expire after 2 weeks for example.
To do this you need to use a cookie, not a session cookie (which is deleted once the browser is closed).
Check session_set_cookie_params() and give session cookie a lifetime.
See the PHP manual for more info: http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
In the end, if you really want more security, you should definitely have a look at SSL.
You should use session variables instead of storing the data in a cookie.
Here's an example in PHP
<?php
session_start();
$_SESSION['password'] = 'YOUR PASSWORD HERE';
//then you can reference the session variable in your code
echo $_SESSION['password'];
?>
You can set how long the sessions will stay for and the user cannot directly access the session variables because they are stored on the server. This is the way many secure login system works.
Multiple sources have pointed to http://jaspan.com/improved_persistent_login_cookie_best_practice as the best practice for my purposes.

Auto logout using sessions in Django (outside views)

I'm trying to build a auto-logout function in a Django application.
Basically, with each request to the site I want to set the current timestamp in the session (if not set), and then checking that value with the current time. If the difference is too great, it should redirect to logout.
Is there a easy way to set the session on each request without adding a function to each of my views?
I know it's possible to use sessions outside views, but then I have to supply the session_key, and I'm not sure where I should get it from, or generate it myself.
I'm not sure what timestamp you are comparing with what here, or why.
The usual way to manage auto-logout is to simply set a short expiry on the session cookie, via the SESSION_COOKIE_AGE setting. If the cookie expires, the user will automatically be redirected to the login page if they try and access a page that requires authentication.