And this includes the sub-question: How is an opencart token generated?
I ask this because I have made an installation of opencart that was copied (DB's and everything) and only the respective config.php and admin/config.php were modified (caches were all deleted) and this was done like 30 times.
All is fine and all stores work. Their respective store owners have different passwords and are able to log in and manipulate their stores.
The thing is... All stores are accessible as sub folders of my domain.
domain.com/store1
domain.com/store2
etc.
Here's the kicker: Logging into one store with the owner's password (say domain.com/store1/admin) works ok and generates a token for the session.
The problem is... that the token is now accepted in all stores (whose owner are different people with different passwords)!
Simply by changing the url from:
domain.com/store1/admin/index.php?route=common/home&token=3b029982197b80009b608328508aade2
to
domain.com/store2/admin/index.php?route=common/home&token=3b029982197b80009b608328508aade2
works and now Store owner 1 has access to Store owner 2's admin panel without ever knowing or entering his password.
Quite critical!
How do I make it so that this is not possible. Help me understand these opencart tokens please.
There's a couple of ways you could achieve what you want. You could either
Save the store's URI in a session variable alongside the token that can be validated against
Save the token in the user table and validate against that
The actual validation of the token is done in /admin/controller/common/home.php in the method login()
Related
I am creating a saas, software as a service site with django.
Due to the project requirements the users are inside schemas/tenants, for that im using the fantastic django-tenant-schemas app, one user can have accounts inside different schemas (they share username and password) ... i want to let the user move throught the different schemas they are in more or less freely ... for that i have created a view where the user can select on what schema he wants to be on.
When i use an application wide cookie session that is when i have the cookie setting as ".domain.ext" (django documentation) that works fine but its NOT the behaviour we really want for our application.
What we really need is to be able to have different versions of the app on different browser tabs.
So we have to set the cookie configuration to "domain.ext", then everything breaks because the original view is on one tenant and the next view (where the just logged user really belongs) is inside other tenant then the old cookie is deleted.
So the question is how can i programmatically set the cookie correctly on the new view so the user that really belongs to that tenat is still authenticated.
Or is there any alternative approach we could use for that? Any examples?
EDIT TO CLARIFY as demanded:
Person A belongs to 2 schemas SH1 and SH2 on both of them he has the same username and password.
On every password change the password hash is replicated on all the schemas they belong to so they dont have to remember specific passwords or usernames.
When the person is logged on SH1 the url will be sh1.domain.com when he is logged on SH2 the url will be sh2.domain.com
So lets say the person is now logged on schema SH1, he decides to switch to schema SH2, to be able to do that i need the user to still been authenticated so that view has to be on the SH1 schema, but then its redirected to the new schema force authenticating the user but since the cookie is set as domain specific (default django behaviour) when the user lands on the next url sh1.domain.com/whatever the previous cookie is deleted and thus he has to log in again to be able to access.
If I'm understanding correctly, you want the ability to have the behavior of a cross-domain cookie, but without actually using a cross-domain cookie.
The immediate answer that comes to mind is "well, use a cross-domain cookie". This is pretty much the vanilla example of a situation where you'd want to use use a cross-domain cookie. Engineering a complex solution so that you can avoid using the simple solution never ends well :-) Unless there's some other constraint in play that you haven't revealed, I'd start by questioning whether you shouldn't just be doing this the easy way.
However, assuming there is a good reason (and, frankly, I'd be interested to know what that is), the problem you're going to face is that browser security is essentially trying to stop you doing exactly what you're proposing. You want to know, from domain SH2, whether something has happened to a cookie set on domain SH1. That's exactly the situation that cookie security policies are designed to prevent.
The only way you're going to be able to work around this is to have a third party that can share knowledge. When user A logs into SH1, you do password authentication as normal - but you also post a flag somewhere that says "User A is now on SH1". When A logs into SH2, you post the corresponding flag. If A goes back to SH1, you check against the central source of truth, discover that they're currently on SH2, and force a login.
You probably could do this by manipulating cookies and session keys, but I suspect an easier way would be to use an Authentication backend. What you'll be writing is an authentication backend that is very similar to Django's own backend - except that it will be making checks of cross-domain login status against the central source of truth.
How you implement that "source of truth" is up to you - an in memory cache, database table, or any other source of data will do. The key idea is that you're not trying to rewrite cookies so that the same cookie works on every site - you're keeping each site's cookies independent, but using Django's authentication infrastructure to keep the cookies synchronised as a user moves between domains.
I need some advice / ideas if someone is inclined to help: I have a javascript interface for manipulating pictures. Basically it's about moving photos around. Once it's done the position of images is saved into a Django form and then saved to database with the owner saved as the current user. Now the trick is that I would like to be able to allow non registered users to play with this interface and then if they like the result they hit save and are redirected to an account registration page and only then the form is actually saved with their user as the owner.
What comes to my mind now is to keep the values of the form in session but I don't know what will happen to the session once the anonymous user registers and becomes another user. I was also thinking of using a 'next' parameter in the registration process with the url filled with get parameters that would be the content of the form but then I don't know if userena is ready to allow that.
Any light on this is welcome.
Well, we did similar thing on our site.
When unregistered user attach photos we save objects to database and assign unique hash which was generated when user came to the page with form. When user hit submit we pass this hash in url and on the next step, when user wants to register, we just get objects from database by this hash and assign user_id to them.
Also we have a cron job which do clean up and removes all lost objects
P.S. Sorry for my english i hope you'll get my point
Save the object without the user and store a reference of that object in the session (or (signed) cookie). If if the user registers, update all the objects with the newly created user.
Another approach would be to store the data in the browser (html5 localstorage and fallbacks, or similar) and only insert it into the database once the user has signed up. You would need to make sure both things happen inside the same browser 'instance', but things would be easier in the server side.
Scenario:
I have an administration-application which manages the user accounts for another application. Now I would like to place an user-specific-link (e.g. Click here to login with user1) in the administration-application allowing the admin to directly log in with the user in a separate browser window or tab (target="_blank").
Problem:
When the admin clicks two or more links and opens two tabs with tab1=user1 and tab2=user2, the last clicked tab overwrites the session-variables of all other tabs. Sure... that's how sessions work, but I wonder if there is a way to let the admin manage multiple user interfaces with one session in multiple tabs? But I don't see a possibility to identify a specific tab in the browser so that I could say "in tab1 is user1 and in tab2 is user2 logged in ...
Question:
Has anyone done something similar and likes to share the basic idea of solving this?
EDIT:
One possible solution could be to add an parameter to the URL with the userid and hand it through to every page, right?
As your edit points out, the way to do this is with a url variable that specifies who the user should be.
There are a number of security issues with this approach tho.
I'm assuming that your initial link is doing some sort of security check to make sure that the initial "log in" of the user is an authorized request. You'll need to do a similar thing for this method. If your initial request is something like http://example.com/page.cfm?userid={id}&authtoken={encryptedtoken} I would then put that userid into the session scope as a valid userid that the admin can impersonate. The more links they click on the more users they can impersonate. On subsequent requests you check the requested userid against the allowed list in the session and either allow or deny the impersonation.
You'll also need to update all the links on the site so that they include the userid in them. The easier way to do this is to cheat and user jQuery or such to rewrite all internal urls with the userid appended. You would conditionally include that javascript based on the above check.
Lastly you'll likely want to prevent these urls that include the userid from appearing in search engines, if it's not a fully locked down site. You'll either need to use canonical urls to remove the userid, or set x-robots headers to tell search engines not to index the urls where the userid has been specified; or both.
That's the most primitive method of getting different "sessions" for multiple users in the same browser. However you'll then bump into issues if you're using the session scope for anything meaningful, because each tab will try overwriting the other. You'll need to overwrite the normal site session variables on each request, or you'll need to create different structures in the session scope for each userid that is used. How much of a problem this is depends on your application.
It's a do-able thing, but probably a lot more work then you were hoping for.
The other option is to get the admins to use Google Chrome with multiple profiles and copy and paste the login url into different profile windows. A slight inconvenience for them, but a lot less work for you.
A site I am working on (using django) requires that users can access a subset of the functionality temporarily by following a URL sent by email, instead of having to login properly (i.e. with username and password).
I am, of course, aware of the potential security issues with this proposal. Therefore, the tokens included in the url are randomly generated and stored on the server (instead of hashing the username or something similar), and expire.
In addition, I would like to restrict the permissions of users accessing the site through such a token URL, so that they can only access some (very limited) information, while their credentials are required for any more substantial actions.
I had implemented this in a rather crude way: Briefly, instead of authenticating the user through the token, it is stored as a session variable, and the few views that recognize the token validate it. However, it would be great to have an extended solution: For example, a global user.has_token check would be brilliant. I can't imagine, however, how a more elegant solution might be achieved.
So my question is: How would you implement such a system? Is it, for example, possible to temporarily allocate or restrict permissions in django? Might a custom middleware be necessary here?
Any help would be much appreciated. Thanks a lot!
Edit: Following the discussion below, I would like to further specify the question: Would it be efficient to assign groups through a middleware on every page view? Would it be feasible to add properties to the user object at run-time (similar to the user.has_token example above)?
usings django groups you can restict access
below link gives you the example:
http://bradmontgomery.blogspot.com/2009/04/restricting-access-by-group-in-django.html
I understand request.sessions dictionary and how to use this.
However, it appears that values set using request.sessions is only valid while the user is logged in.
I need to set a persistent cookie that lasts for a fixed time period and not dependent on whether the user is logged in or not.
What I would like is to store a value for an anonymous visitor to my site, and also retrieve that same value if that user creates an account and logs into the site. The value should be retriEvable if the user logs in or logs out between sessions.
Any code examples on this?
Sessions should work fine for anonymous users. What's happening to make you think it only works for authenticated users?
Aside from that, maybe take a look at deferred registration which may do what you're looking for, http://tartarus.org/james/diary/2009/07/24/implementing-deferred-registration-with-django .
As Rolo says, Sessions work when for anonymous users, but When you use the auth.logout method the session is completely wiped. In your logout view, you could call auth.logout, then add whatever data you wish to persist back into the session.