We are in the process of porting to Flask a POS app written in ASP Classic. We want to roll the pages out incrementally so that some pages use Flask while some pages use ASP Classic.
The hurdle is sharing sharing sessions between the two, which includes sharing the authentication variables. I have two questions about this:
Does the right approach entail sharing sessions in the form of cookies?
If so, how do I accomplish cookie-based authentication on Flask so that I can get the user variables with the cookies I send from ASP Classic?
Yes, but you would be exposing users to a security concern called session hijacking. My knowledge of Flask is minimal, but I do not think it can query session data from ASP, so you would have to pass the session's data to Flask.
Related
I have Web application with VUE as frontend stack and Django DRF as backend stack I want to enable the feature that if someone is login from one system he/she can't login from other system unless and until logout from previous session is there any proper mechanism to do so
TL;DR I wouldn't even bother trying. But if you want: use websockets and keep track of the number of users connecting to a single endpoint.
It's not fool-proof since these are just tokens which means anyone with a terminal and curl can still access whatever REST API you have.
I think you have to understand how most people are using Vue, React, and other JS frameworks with Django. They're most likely not using SessionMiddleware and using something like djangorestframework-simplejwt (disclaimer: I help maintain it, and I've got a slight bias against JS frameworks + Django).
The problem lies in how authorization works, namely stateful and stateless. In your case with these token authentication methods, you've got stateless tokens that are verified only by signing, and not by anything backed by a database/cache on the server. So we don't actually know how many tabs the user has opened.
In SimpleJWT, we have something like token Blacklist, but it won't really help that much.
So the solution is to use websockets. You can keep track of the number of users connecting to a single endpoint (after authorization and authentication. You can use something like Django channels) by creating a cache key (backed by a service like Redis or Memcached in production, local can use memory/dummy) and incrementing and decrementing by the number of connections and disconnections.
That way, you have something on the server to backup all these claims.
It's not fool-proof since these are just tokens which means anyone with a terminal and curl can still access whatever REST API you have.
I'm working on a flask web application using flask-login for user authentication.
Now the current layout is going through some changes and it was decided that some of the components should obtain data from the server in order to update on user request.
I intended to create some api routes but I'm not sure how should I now handle user authentication accessing these routes.
I'll be happy to hear what's the best practice in these cases.
Thanks
we are developing an application using Angular2 as frontend and Django as a backend. A Django backend is already in place, while the Angular2 application is in development. We chose, for obvious reasons, to use Django REST as a way to communicate with the backend.
The application login and the backend login are done in two different pages but of course the login domain and the user base is the same. The two login are working properly by themselves, but we wanted to find a way to implement a transparent login (so an user can log into any of the two application and be recognized by the other one without re-logging).
The Angular frontend is currently using Token Authentication. The server does send the csfr and session cookie along with the token. Moving to the backend, the csfr cookie is preserved, while the session is not, so a new login is required (of course, backend and Angular frontend are on different subdomains but in the same domain, the cookies are set on the domain, with two dots: '.domain.com') .
Is it possible to do what we desire? Could someone help us find the proper way to do it?
We've done some research and found Django CAS, but it's not clear for us what's about and if it fits our use case.
Thank you very much
Im developing a java web application which is deployed on a glassfish server. The web services are used to connect to user databases. Each user has a database. My question is, is there a way to keep track of the user? For example in servlets we use sessions in order to store some user specific data. Is there something similar to it in web services? It seems impractical to have to authenticate the username and password each time the user sends a request to a web service. Thanks.
Web services may also use sessions, however there are good reasons to keep them stateless:
it might be that the clients do not support sessions (cookies), e.g. if your clients are not browser based;
stateless services are easier to scale.
You do not have to use username+password for authentication. You may use JWT (or other kind of access tokens) to protect them.
Auth0 has got nice article on this topic:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/
I am using a gwt based application and I want to introduce web service [Apache CXF ] to provide access business layer to other application which is build up in other technology like php, iphone and android.
As per client requirement,
->create gui pages in php
->create login module (with oauth concept) in php
->Use php webservice for login process
->Use java webservice to access business layer
Now my question is to access particular business layer for security reason we have to maintain user session some how. right?
so as I mention requirement how can I manage session in my Java EE app server. should I have to create a session for per user request?
How could I maintain session for user if my login module on Apache server?
Note: Please note that my login is using a php app which has some oauth feature and that will redirect to Java EE app.
Passing JSESSIONID between instances of application server will do you nothing. Unless sessions are clustered, each application has it's own session container and cannot be shared, (unless you write a custom valve that will search for all sessions in application server). Plus WS does not have a notion of http session, you would have to implement your own mechanism. Plese elaborate what are you trying to achieve? And then we will be able to help you more.