I am building offline progressive web application for that I need Authentication in offline for existing user.
I am trying to store user authentication values like username and password in browser using cookies. but how to retrieve username and password form cookies and check authentication in offline using service worker. thanks in advance
First of all, Service Workers are not for authentication check. You can use cookies or localStorage to store authentication details if you compromised with safety measure.
If the cookie is available in your browser to navigate the user to the next page, do that. Use service worker to serve cached files.
Related
I'm using Django and I have the following case.
My main website on dummy.com has the normal login form from Django.
The Django application is providing an API.
I have a Single Page Application on another server with the domain auth.dummy.com
My SPA is using JWT to authenticate the user so he can be logged in into the page auth.dummy.com by using the API provided by dummy.com
How can I archive it that the user who logs in on the domain auth.dummy.com automatically gets logged in into the main website dummy.com?
But I always want to keep the default behaviour from Django so Users can log in into the site from the main domain as well and not only from auth.dummy.com
Is there a special name for this kind of authentication?
I'm confused by all this names: JWT, SSO, OAuth etc.
Have your SPA set the session cookie at the same time you store the JWT. Also make sure to use the same SESSION_COOKIE_DOMAIN on both sites.
I have been reading about csrf and fiddliN around with implementing it using go and gorilla toolkit. I am also using gorilla sessions which i have implemented to store a user id in an encrypted cookie.
the cookie is decrypted and i fetch the user from the db with the now unencrypted key-value store using a middleware I wrote...
if the user is creating the session cookie from authentication through an oauth2 provider, do i have any need to implement csrf protection if all the views that need such protection are only allowed to authed users anyway?
Suppose a user has logged into your site, and has continued to browse the Internet in the same session. They stumble across another site which is maliciously targeting yours, with HTML or JS that causes the user's browser to make a request to an endpoint on your site. This will contain the user's session cookie for your domain, and succeed unless protected by a CSRF token.
I am developing hybrid mobile Application using phonegap(jquery mobile framework) and jersey rest java webservice.
How to do login and logout using mysql and rest webservice and maintain session of perticular user on every page like traditional webapplication(get username on every page).
i am totally stuck.can anyone provide sample example or any solution.
you can do in below way.
create session table contains column [id, token, userid, loggedintime]
on login call a rest like /rest/user/login?username=uname&password=pwd
which return a token to user. maintain that token at client side. you may use cookie or sessionstorage whichever supported by mobile device.
now create one Filter with path /* so each request pass through it, and in filter check that the users token is valid or not, if not than redirect to login. you can explicitly pass that token to server in queryparam or pathparam.
on logout delete entry from session table, and redirect user to login page again.
there are many way to do this thing but this is a simpler way.
It's simple, you store the username and password in your client and send them with every request. (On the server side you can have an (username, password) -> (identity, permissions) in-memory cache which can make things faster.) You need a secure connection: HTTPS. Without that you won't do REST auth.
Login is simple you show a prompt to the user, in which she can give the username and password, so you can store them in the memory of the client. By logout you can simply close the client (by browsers navigate away), or remove the username and password from the memory of it. (It is not secure to permanently store the username and password without proper encryption on the client side.)
I am trying to access a passport protected page of my Express.js app with a Phantom.js script.
How can I simulate a logged in user without knowing the passport?
I am using Passport.js as a auth library with LocalStrategy and MongoStore to safe the sessions in the mongo database. I am wondering if I can create a record in the sessions collection and set a generated cookie with Phantom.js (phantom.addCookie(...)) to simulate a specific logged in user without the password of the user?
Can I generate the content of the of the connect.sid cookie for a specific user in the backend and add it to phantom.js in order to simulate a logged in user?
Findings:
I figured out that Passport.js uses the Cookie-Signature node module to sign the cookie content and I assume Express.js uses the Connect cookie and session middleware to handle the cookie and session creation and insert them into the HTTP headers.
using javascript, you should be able to fill in your login fields and submit. (simulating a user login, not trying to recreate a login cookie)
that would probably be your best bet.
for how to fill in forms, see:
How to fill in form field, and submit, using javascript?
Automatic form fill using javascript
I want to be able to authenticate users of an angular.js application using oauth, but I do not want to store any tokens on the frontend because I have seen that it can be fairly complicated to do so securely. Is there a way to pass some sort of credentials of a user to my django web application, where is can authenticate the user with some oauth provider and save that information in a session? To make it simple, here is the process I want
User is logged into some oauth provider, i.e. stackexchange
They click a "login with stackexchange" button on the front end angular app
Their login credentials are sent over to the django application through a restful api
The django app which receives these credentials attempts to get a token using rauth
If the server receives a token, the user is logged in and their information is saved in a session, otherwise they are given an error
Is this sort of process supported by OAuth2 providers?
Step 3 is incorrect: that authentication process is handled entirely off-site, on the OAuth provider's infrastructure, e.g. StackExchange.
This kind of flow is certainly possible. I would check out the Facebook example, which uses Flask, but provides a similar framework for how you might go about this in Django.