I want to deny access users to my web application when they are not in the company area ,so I can to enforce web browser to track the user location through django?
There are a few options:
Do this in the Web browser via JavaScript. You can receive the coordinates of the user there. The user has to agree, but you can refuse to show the content if they don't give the information - details would depend heavily on how your Web site works
If you want to limit it to specific offices and they have static IPs, you can restrict traffic to a list of predefined IPs in Django. This answer has some good approaches for that: Authenticate by IP address in Django
You can get the IP of the request and do a geo-lookup on the IP and use that to restrict the traffic. You likely will want to do this using middleware. Please note that this may add quite a bit of delay, so you likely will want to remember where a certain IP is, at least for a while, in some cache or datastore
Related
I'm developing a webapp(Django) that let users have an eshop just with a few clicks. I serve the shops under https://shopname.mydomain.es but then I give them the option to use a domain if they want.
For example one of my users (user1) buys "happyuser.com" in a domain provider of his choice. Then I tell them to modify their DNS to point to my server. So far so good, everything works perfectly, I use Nginx to allow access from the connected domains and everything works correctly.
Here comes my doubt. I use a middleware to detect the host, in this case "happyuser.com", I check a table in which I have the relation between user and domain name.
class UserDomain(models.Model):
user = ForeingKey(...)
domain = UrlField(...)
Then I tell Django to serve the correct shop. But what happens if another user (user2) also saves the domain "happyuser.com", how can I know which user shop should I load?. I know is unlikely that this happens, but is there a way to prevent this problem?
You need some form of activation process for the domain before you officially associate it with that user account. For example:
Ask the user to store a particular value (generated randomly for that user) in a DNS TXT record, or set a particular random CNAME subdomain (e.g. ijiqjwv87123rbbv8123.happyuser.com) to point to your domain. Then query that DNS record and see if it's as expected.
Ask the user to set up the DNS records as necessary to point to your server, then make an HTTP request to that custom domain and a specific path (e.g. happyuser.com/check) and expect to receive some specific token from your own server.
Both ways prove that the user has deliberately configured the domain, over which they apparently have control, according to instructions you gave only to them, proving that they must be the owner of the domain for all intents and purposes.
I think you're right, it's a very unlikely issue. There is not much point spending a lot of time on it. Ensure that table with customer domains have unique index on that column, stops the issue form happening and takes few moments to implement.
I have an interesting conundrum.
We have a site that is a completely separate domain, we'll say http://www.x.com and our own site that is http://www.y.com. The y.com site is actually a classic ASP site, and we aren't converting it to .NET at this time.
The problem is that there is a link on x.com that redirects to y.com from a members area. We want to "authenticate" the user to make sure they are a member from the other site. If they are, they are directed to a members area on y.com. If not, they have to provide login information on y.com.
Cookies obviously don't work due to the cross domain security, but is there a way around this? I've also looked at a service for tokens, but I'm not sure exactly how that works in Classic ASP. Any ideas or suggestions?
What I did when I needed to pass information cross domain what so hash the information into one variable and pass the url/page as another variable as a post into a page on the y.com. That page would unhash the data, set the cookies and session variables, and then do a redirect or server.transfer to the page that was passed. The same can work going from y.com to x.com.
The Twitter API returns this value for the Twitter account 'image_url':
http://a1.twimg.com/profile_images/75075164/twitter_bird_profile_bigger.png
In my Twitter client webapp, I am considering hotlinking the HTTPS version of avatars which is hosted on Amazon S3 : https://s3.amazonaws.com/twitter_production/profile_images/75075164/twitter_bird_profile_bigger.png
Any best practices which would discourage me from doing this ? Do 3rd party Twitter client applications typically host their own copies of avatars ?
EDIT: To clarify, I need to use HTTPS for images because my webapp will use a HTTPS connection and I don't want my users to get security warnings from their browser about the page containing some content which is not authenticated. For example, Firefox is known to complain about mixed http/https content.
My problem is to figure out whether or not hotlinking the https URLs is forbidden by Twitter, since these URLs are not "public" from their API. I got them by analyzing their web client HTML source when connected to my Twitter account in HTTPS.
Are you thinking of storing the image URL in your application or retrieving it for the user as it is required?
If its the latter option then I don't see an issue with hot-linking the images. If you are storing the location of the image url in your own system then I see you having broken links whenever the images change (I'm sure they will change the URLs at some point in the future).
Edit
Ok, now i see your dilemma. I've looked through the API docs and there doesnt seem to be too much in terms of being able to get images served in HTTPS or getting the URL of the Amazon S3 image. You could possibly write a handler on your own server that would essentially cache & re-serve the HTTP image as HTTPS however thats a bit of un-neccesary load on your servers. Short of that I haven't come across a better solution. GL
the things seems updated since that.
Please check: https://dev.twitter.com/docs/user-profile-images-and-banners
The SSL-enabled path template for a profile image is indicated in the profile_image_url_https. The table above demonstrates how to apply the same variant selection techniques to SSL-based images.
Why would you want to copy the image to your own webspace? This will increase your bandwidth cost and you get cache consistency issues.
Use the URL that the API gives you.
I can see that you may want to cache the URL that the API returns for some time in order to reduce the amount of API calls.
If you are writing something like an iPhone app, it makes sense to cache the image locally (on the phone), in order to avoid web traffic altogether, but replacing one URL with another URL should not make a difference (assuming that the Twitter image server works reliably).
Why do you want HTTPS?
How do I allow users to map their domains to a url on my site? (like how tumblr or blogger does)
The app is being developed in Django. I want the users to be able to map their domains to mydomain.com/username (is this possible or do I need to have a format like username.mydomain.com?)
Also my app runs on a VPS so I have my nameservers as ns1.mydomain.com and ns2.mydomain.com.
easiest way is through domain cloaking. most domain name providers will allow users this option.
another easy idea is to provide your users with a very generic html page that just includes their url on your site in an iframe and have them places that as their default directory index (e.g. index.html).
both the aforementioned would always show the base domain (without trickery). as noted below, a CNAME DNS record would take care of this, assuming they have the ability to edit DNS records...
www.someuserdomain.com. CNAME username.yoursite.com
In that case, you will have to consult your specific hosting setup for how to programmatically change your DNS settings. Whether you can actually do this depends on the host. If your server is running a DNS server that you have access to, you can probably change it that way.
We have several websites on different domains and I'd like to be able to track users' movements on these sites.
Obviously cookies are not feasable, because they don't cross domain borders.
I could look at a combination of IP address and User Agent, but there are some cases where that does not work.
I don't want to use flash or other plugins.
Any ideas? Or am I doomed to rely on the IP/User_Agent combination?
You can designate one domain or subdomain to tracking and have it serve a 1x1 pixel image which you include in all pages you would like to track. Serve a cookie with the image, look at the tracking domain's server logs, voilĂ .
This solution requires no JavaScript, and works even if the user disables third-party cookies.
First, let's make sure the user agent is sending cookies:
If getCookie("c") == null then setCookie("c", "anyValue")
Then let the request finish (aka wait for next request)
Let's call our tracker cookie uaid.
If GET http://child.com/any-page and getCookie("c") is not null and getCookie("uaid") is null...
Redirect to http://parent.com/give-me-a-uaid?returnTo=http://child.com/any-page
On http://parent.com/give-me-a-uaid, check for cookie uaid
If not exists, create it and add it to response. If it exists, get its value.
Redirect to http://child.com/any-page?uaid=valueOfParentsUAIDCookie
Child.com sets cookie uaid with valueOfParentsUAIDCookie
Redirect to http://child.com/any-page
And of course, you are validating input, and white-listing your redirect URLs :)
Flows:
This question is closely related to the Question Accessing Domain Cookies within an iFrame on Internet Explorer.
For Internet Explorer I need to take P3P Policies into account and set an additional P3P HTTP-Header to allow images to set cookies across domain borders. Then I can use simon's suggestion.
You can follow the same concept used in Google Analytics. Injecting javascript in the pages you want to track.
You do not give any context to your situation -just the basic problem. So it is difficult to give an answer that clearly fits. However, here are some techniques/mechanisms for passing information from one page to another, regardless of what domain is involved.
include hyperlink to a 1x1 pixel transparent gif image (sometimes called a "beacon")
rely on referrer information in HTTP request headers to identify page hyperlink is on
include extra parameters in hyperlinks to other site - assuming you run both sites
buy services of a company like Akamai to do user tracking for you
possibly use cross domain cookie mechanism in the future if standard is ever approved
Which techniques really come down to whether you can place software on all of the sites (servers) that the user will visit where you have interest - or you cannot place your software on all of them.