I am developing an application using Django 1.4. When I log into admin site in another tab in the browser, the application interface in which I am already logged in automatically logs out. Please help me in solving this issue. The browser I am using is Firefox. Thanks in advance.
Admin is also a user in django. So, you can't have more than one user logged in at the same time in the same browser, can you? Try the same scenario on facebook. This is what it is. You re fine, there's no problem.
On the side note, if you are just getting started with your project use Django 1.5.
Well you cannot log into the same website with different login ids simultaneously until and unless you dont use some plugins for this feature or you are opening different ids in the incognito window.
Since admin is a superuser(still a user), hence you cannot open a multiple django accounts in the same browser. One account will be logged out in order to open the other one. This is no issue. Happy coding.
The Django admin site is just another page of your Django main website. Say if you have foo.com, then foo.com/admin/ shows you the admin portal.
And we already know that two users cannot be simultaneously logged in to the same website from the same browser.
So, you can test on your foo.com site, being an admin user itself. Experience on the Django website for any user will be same, it doesn't change with user being a staff member or superuser. Only admin site has different permissions based on these factors.
In this case, you'll be able to use both the main site, as well as admin portal.
But if you really want to use different user accounts for admin site and main site, then you should either use different browsers or Private window in Firefox.
Related
I'm quite new to django.
I've made a website that makes use of user auth for login, logout and registration.
Whenever I log into the admin panel, it also gets reflected in the actual website. The admin account gets logged into the website on its own.
I know this is the default behaviour of the django auth system, but I want to separate the auth session of admin panel and the actual website.
How can I do so?
The screenshots below show the thing which I'm talking about.
👇 Here I've logged into the Admin panel.
👇 The Admin account got logged into the website on its own by using the admin session..
I just want that both admin panel and website should have separate auth sessions and shouldn't be linked to each other.
The website is hosted online here
Thanks in advance!
You could write middleware for this, to explicitly logout authenticated users in non-admin pages as suggested in this answer:
https://stackoverflow.com/a/57357586/2135738
So, I'm adding on another app to a webapp that I'm building for my company, this one involving bill creation for invoices. Unless one has a specific account with my website, they should not be allowed to access this specific app.
I am using Django's built-in authentication system. My LOGIN_REDIRECT_URI is set to redirect to one of my apps. However, I would like for the login redirect to send the user to the app that they were previously in after login. How might I accomplish this?
Thank you in advance!
Working on a project that is powered by Django. Problem is I can't seem to find the way how to authenticate user without giving him access to the admin interface at the same time. I've read through numerous articles and tutorials about how Django handles authenticating visitors of the website and they all seem to go through creating user in admin and build a separate view for visitors to see where they're presented with login form to fill out.
They don't seem to address the problem what if the user finds out that the website is built in Django, types "/admin hits enter and then just types in his/her credentials and vuala random visitor is in admin interface which isn't good at all ?
From the docs for is_staff
Boolean. Designates whether this user can access the admin site.
I have a workspace in which I have many applications based on the same schema.
Every applications has his own login page at the moment.
I want to build another application responsible for the login of all the other applications.
The login will redirect the user to a main page that will show the links to the different modules (applications) based on the user type.
Note that only the ADMIN user can see the links to all the applications.
Different types of user will see only the links to the apps that they are authorized to access.
I read other related posts, I know I have to change the cookie name for all the app I want to share the authentication.
But my question is:
If I login successfully with a user different from the ADMIN, I am still able to access all the applications via URL, even if their link is not visible in my main page.
How can I prevent this?
Check out the use of authorisation schemes (see under Shared Components).
If you had an authorisation scheme per application you check on each page so that if the current user was authorised that application. Don't forget that each authorisation scheme would also allow users who have ADMIN access.
Hope this helps.
Just had another thought. Check out this post http://www.explorer-development.uk.com/securing-vulnerability-exploits-apex-part-2/ by Craig Sykes.
Activating Session State Protection and using Checksums would prevent a number of issues for you.
I have a flask app with a login page and connected to MySql. I usually run it on my localhost using chrome. My login's works fine. Now what i want is if i login into my app on a chrome it works fine simultaneously when i opened my app in another browser it gives again a login page which i don't need it.
I need only one login. If i logged in using chrome and if i open it in FireFox it should give me the logged in session not the corresponding login page.or just simply notify me "You are already logged in another browser, Log-out there and login Here.
Is this possible if so suggest me some steps.
This is completely not possible, since one browser does not know anything about stored cookies in another.
The common approach is to force logout on another login attempt, or, as an option, login denial if user already logged in.
Another way would be to detect logged in users in by their IP address, but this is really bad idea, since there might be thousands of users behind a single IP.