I was reading up on cookie validation and came across the question of how exactly does Django validates its cookie?
If I remember correctly, Django stores session id in the cookie for later use. Does that mean that anyone who fakes the cookie will be able to use arbitrary session data?
The validation itself is damn simple: against the data in in the session backend. As you can see here, the data you receive in a cookie comes from your session, session_key attribute. Where it is being stored depends on your session backend, by default it's the database.
It is impossible to "fake" a cookie. Unless someone stole your SECRET_KEY. More detailed info here.
If someone steals a cookie from a client, the thief can use the client's session till it expires. You cannot prevent it. If you are aware of such a case, the client's password needs to be changed ASAP, as it will lead to invalidation of ther user's existing sessions (starting from Django 1.10).
Upd: your question made me curious whether the session backend actually stores the value as is... Figures, it does. (I got also impressed there's pgAdmin for Windows)
Related
The offical documentation states the following about deleting a users cookie:
Link
DELETE /_session
Closes user’s session by instructing the browser to clear the cookie. This does not invalidate the session from the server’s perspective, as there is no way to do this because CouchDB cookies are stateless. This means calling this endpoint is purely optional from a client perspective, and it does not protect against theft of a session cookie.
I can invalidate the cookie on the client but what if somebody siphons the AuthSession=123abc and uses it on the quiet? Isn't this a security problem?
I would like to know how I can avoid this behavior and really destroy the cookie because I would like to have a somewhat secure application with CouchDB.
I'm certain I've answered this question before, but I can't find the duplicate question, so here goes again:
The cookie is a simple hash of the user's login name, the time the cookie was created, the user's password salt, and the server's secret.
This means that to invalidate an existing cookie, you must either wait for enough time to pass that the created timestamp is far enough in the past that the cookie is not considered valid, or change one of the other parts of the hash.
In effect, this typically means it's impossible, because:
Changing the user name means the user will no longer be able to log in.
Changing the user's password salt will also mean the user can no longer log in, unless you also store the user's plaintext password, so that their password hash can be re-calculated. (probably a very bad idea)
Changing the server secret will render all sessions invalid for all users, not just the one you're targeting.
If invalidating active sessions is a hard requirement of your application, it's best done in a reverse proxy server that handles authentication, and uses proxy authentication to interact with CouchDB.
I'm using session to store an object id and its description, this instance should be blocked to all other users while it is beign used in someone's session, and I would like to release the user object once he closes the browser, now I'm aware there is a configuration to expire sessions on browser close, I was just wandering if there is any entry point where I could add some custom code
What I'm trying to achieve is something like
def OnSessionExpire(???):
#release my objects
I've searched around but found no answer, can someone lay a help here? I'm using the backend session mode
Thank you !
Django doesn't do anything at all when the browser closes. Django doesn't even know - how can it: the only time Django knows anything about what you do in the browser is when you make a request to the server, but closing the browser is the opposite of making a request.
Session expiry on browser close is an attribute of the session cookie, not anything that Django does. It just means that the cookie is set with a flag that tells the browser not to persist it when it closes. The actual session data remains in Django's session store, and will do until you explicitly clear it, but is not accessible because the cookie has been removed.
So, the upshot of that is that there is no way to tell explicitly when a session ends. The only thing you can do is to send regular keepalive signals - eg via Ajax - while the session is open, and taken an action if you haven't seen any for a while.
I was looking for the best practice to set/get login status and come across this one.
In the answer, Yuji suggested that setting or getting login status on a cookie is a terrible idea.
I am just curious why it is a terrible idea.
Can anyone advise?
The first reason that comes to mind is: cookies can't be trusted.
Now, Django does actually provide a system which stores user data in the cookie... cookie-based sessions ...they are not the default but the option is provided. Take note of the warnings in the docs - the data in the cookie is "signed but not encrypted" - this means the user (and anyone with access to that cookie) can see the data saved in the cookie in plaintext, but if they try to alter the data the cookie will be seen as invalid.
(Note that all Django sessions use a cookie, but the other session types like database-backed sessions don't store the data you associate with the user's session in the cookie itself, the cookie is just a token)
So, given that it is possible to safely store data in a cookie why do we say "don't do ever this" about the login state?
The main reason is because there is no point inventing your own half-baked login scheme when there is a standard, secure and well-thought-out authentication system provided with Django:
https://docs.djangoproject.com/en/dev/topics/auth/
If you need to know on the client-side if the user is logged in, the most common way is probably to pass a variable from the view into the template, eg request.user.is_authenticated and render some different HTML or write out a var into a javascript block.
In Javascript alone you could also check for the presence of the session cookie.
In addition to the answers given: Some people tend to use cookie blockers.
And if you clear your cookies while surfing, you can change your status.
I think they are same thing but my boss say that is not right. Can someone explain the difference?
A cookie is something that sits on the client's browser and is merely a reference to a Session which is, by default, stored in your database.
The cookie stores a random ID and doesn't store any data itself. The session uses the value in the cookie to determine which Session from the database belongs to the current browser.
This is very different from directly writing information on the cookie.
Example:
httpresponse.set_cookie('logged_in_status', 'True')
# terrible idea: this cookie data is editable and lives on your client's computer
request.session['logged_in_status'] = True
# good idea: this data is not accessible from outside. It's in your database.
A cookie is not a Django, or Python specific technology. A cookie is a way of storing a small bit of state in your client's browser. It's used to supplement (or hack around, depending on your point of view) HTTP, which is a stateless protocol. There are all sorts of limitations here, other domains cant read your cookies, you can only store a a few k of data (just how much depends on the browser!), etc, etc.
A cookie can be used to store a session key. A session is a collection of user state that's stored server side. The session key gets passed back to the server, which allows you to look up that session's state. Most web frameworks (not just Django) will have some sort of session concept built in. This lets you add server-side state to an HTTP conversation.
To complement 'Yuji 'Tomita' Tomita's answer'
with cookies You can set any information on client browser
not just id (session id),
cookies are limited (size limited to kb), less secure and less flexible compared to sessions.
django sessions are based on cookies, django uses a cookie to save session id on client
sessions are not limited to data size (because they are saved on db of server), more secure and more flexible.
I'm guessing Yes, but I'm not sure.
Both Authenticated Sessions and Anonymous Sessions would reference the stored sessions via the cookie.
########### edit: Clarify
It seems that sessions require some way of referencing for the stored session data.
This reference could be stored in a cookie OR added as a parameter in the URL.
I know this is taking you too literally, but it seemed appropriate to point out that HTTP is stateless and therefore does not have sessions. In order to maintain state, either the browser or the server have to persist the state information between requests. Traditionally, the server maintains the state, and by convention this is called a session, but it has nothing to do with HTTP as it is a workaround. Also, a session usually has a very specific connotation to it - namely that it is an individual visit to the site that will expire when it is no longer being used (some period of inactivity). It will also be different for the same user using different computers or browsers.
In order to achieve a server session, the server will generally set aside some information in memory or database to keep track of state and use a piece of identifying information to associate http requests with that state. This is usually a token. The browser needs to include information identifying the session with each http request. It doesn't matter how this happens, as long as the server and browser agree. It is most often a cookie, or url parameter as fallback, but as long as you set up the code right it could also be part of the url itself, part of a POST body, or even a non-standard http header.
The alternative that is becoming more and more popular is to maintain state in the browser and use purely ajax calls to the server. In this scenario, the server does not have to maintain any concept of session, and will simply return the data that is requested in a completely user-agnostic way. Some authentication may still be needed if the data is private, but a session token is not, and no state is kept on the server.
You can pass the session ID around as a query parameter (www.blah.com/index.php?SESSIONID=fADSF124323). But it has to be on every page. PHP has a option to enable this transparently. It is a huge mess. This is why cookies are preferred.
Not necessarily, some sites use a session ID value present in the URL that represents the session and this value gets appended to all links visited by the user.
We have to use it this way at work, since often mobile browsers don't accept cookies and this is the only way to remember a session.
Also there is HTTP-Authentication, not used often anymore today as the browser has to send username and password to the server unencrypted on every request.
HTTP-Auth just puts username and password in the header sent by your browser.
you can pretty much uniquely identify people by their browser plugins, fonts, etc.
https://panopticlick.eff.org/
When you're using SSL/TLS, then you could at least theoretically use the SSL session id to reference some state on the server.