How django sessions work - django

I am new to django i made a registration page and login page now i want a user registered to login to my website when a user is logged in i want to associate a session for user which only dies when he logs out or he closes the browser
now whenever the user loads the page even after a week if the browser is not closed he should be granted access.Now the django is storing sessions in its database but will i be able to authenticate the user as different users have different permissions.can someone suggest any resource for my requirement.

I found what i needed http://gavinballard.com/associating-django-users-sessions/ its by creating a custom model extending the default one.

Related

How to prevent django admin login and logout sessions from reflecting in actual website?

I'm quite new to django.
I've made a website that makes use of user auth for login, logout and registration.
Whenever I log into the admin panel, it also gets reflected in the actual website. The admin account gets logged into the website on its own.
I know this is the default behaviour of the django auth system, but I want to separate the auth session of admin panel and the actual website.
How can I do so?
The screenshots below show the thing which I'm talking about.
👇 Here I've logged into the Admin panel.
👇 The Admin account got logged into the website on its own by using the admin session..
I just want that both admin panel and website should have separate auth sessions and shouldn't be linked to each other.
The website is hosted online here
Thanks in advance!
You could write middleware for this, to explicitly logout authenticated users in non-admin pages as suggested in this answer:
https://stackoverflow.com/a/57357586/2135738

django redirect to other page and auto login to that page

Is there a way to redirect to other page and automatically log into that page?
So it's like I make django webpage with login and create link to facebook. When user clicks to facebook link, it should automatically login to his facebook page. Of course, I will have his facebook username and password on db I used to create the website.
Is this possible? Basically, I am trying to create interface page on django with link to several different webpage and make user access to his page by simply logon to this interface page alone.
I suggest that you have a look at the Django-allauth, which is an Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication
It does most of the things you want, you can go through the documentation
https://django-allauth.readthedocs.io/en/latest/index.html

django-python3-ldap authentication

I am using django-python3-ldap for LDAP authentication in Django. This works completely fine but whenever an LDAP user is (successfully) authenticated the user details are stored in the local Django database (auth_user table).
My question now is when the same
(LDAP) user tries to authenticate next time, the user will be authenticated by LDAP or by the default Django authentication (since the user details are now stored in the local Django database)?
If the user is authenticated using local Django database then the user can still able to get access even after the user is removed from the LDAP server? This is a real concern for me?.
If this is the case is there a way, so that the LDAP user details is removed from the database (auth_user table) everytime the user is logged out and created every time the user is logged in?. Any help in the right direction is highly appreciated. Thank you for your valuable inputs.
From the documentation:
When a user attempts to authenticate, a connection is made to the LDAP
server, and the application attempts to bind using the provided
username and password. If the bind attempt is successful, the user
details are loaded from the LDAP server and saved in a local Django
User model. The local model is only created once, and the details will
be kept updated with the LDAP record details on every login.
It authenticates by binding each time, and updates the information from LDAP (as you have it configured) each time. The Django user won't be removed from Django's user table if removed from LDAP; if you set multiple auth backends to also using the Django default auth, the user should be able to login (perhaps after a password reset) if removed from LDAP. If you look in your auth_user table you will noticed users using Django auth have their passwords hashed with pbkdf2_sha256, and the LDAP users passwords do not.

Authenticate against Drupal users database table from Django application

I'm working with:
A) A large Drupal 7.23 application running at https://sitename.com using a MySQL database with thousands of users, around 30 of which are Staff.
B) A small Django 1.3.7 application running at http://dj.sitename.com using a PostgreSQL database with few (only the Drupal app's staff) users, who need to be able to login to this Django app using their existing Drupal credentials.
The workflow would be something like this:
Staff users are manually created with identical usernames in each of the applications.
A staff user goes to dj.sitename.com and inputs the same username and password of their account that was created at sitename.com, and clicks submit. Django checks the username and password against the users table in the Drupal MySQL database and compares it with the details in the Django users table. If they match, the user is logged in.
When a staff user is already logged into the Drupal app and visits the Django app at dj.sitename.com, they are automatically logged in, and vice-versa.
When a staff user logs out from the Django app, they are logged out from Drupal, too, and vice-versa.
When a user changes their password in either Drupal or Django applications, it is automatically changed in both systems.
What is the simplest way to accomplish this?
You can use the Services module to expose Drupal user login as a HTTP service, which can then be used by your custom Django authentication backend. On successful login, the service will return you the Drupal user object. This object include the roles of the user, so you can use it to validate of the user has access to your application.
I had a similar request and I've detailed my solution in this howto. Both Drupal and Django run on the same server so I can use both TCP to share data between the two platforms and drush to do Drupal operations in Django.
Every login/logout has two steps:
Login: Django login -> (auto) Drupal login
Logout: Drupal logout -> (auto) Django logout
The turn point in the analysis of mine was to generate and use the one-time login after the Django login using Drush. Then, I use that generated url as a destination url of a login success in Django and alter or suppressing the password recovery message to avoid one more click.
from subprocess import check_output
output = check_output(["drush", "-r", settings.DRUPAL_SITE_PATH, "-l", settings.DRUPAL_SITE_NAME, "user-login", drupal_id])
Where drupal_id is the drupal uid of the just logged in django user. I have to keep a field for drupal uid in the django database. Via Drush you can even create an user when it's the first time you login successfully.
To logout you have to logout from Drupal and then logout from Django. You can do it via Rules, calling a django logout path after the event User has logged out is triggered.
What you're describing is single sign-on. You can look into phpSimpleSAML and enable SAML on both Drupal and your Django based app. Drupal has a module available here: https://drupal.org/project/simplesamlphp_auth
I'm guessing some type of SAML module/plugin exists for Django already.

Using Facebook to login / register - how to still get local user details from my database?

I want my sites users to be able to use facebook to create an account and login
I will gather additional details from the user once they have logged in (id, name, link, etc.) and create a local application database entry for the user.
For future logins, how would i handle the fact that their local db record will now exist?
How do I use the facebook login to return and be able to get the local db user details?
Yes, authenticating through other providers (openAuth is a biggy too and more generic) is getting quick common.
Here is the facebook info on how to do it with them:
http://developers.facebook.com/docs/authentication/signed_request/