Is it possible to create Flask Sessions without Login Fields, For Example user can enter only Email address in User Name Field, which will create Session with certain expiration time, till the session is active, User2 cannot create session with same name.
Any help is highly appreciated.
At first flask by default do not store session on server - only safe cookies.
If you want use email as id (user.get_id() method) you can't. But you can create special cache (dict or etc) on server with active sessions and use unique keys as id and do not login users with exist email.
Related
I want to use firebase authentication for my django webapp. To achieve this, I think would I need to write a custom auth backend - is that right? I don't see any libraries that already do this - django-allauth looks like it comes pretty close as an alternative but I am interested in the phone number verification provided by firebase.
I'm also confused about what happens to the User model and functions like request.user or user.is_authenticated. Right now I use the authenticate and login functions - how does django know that a user is logged in via firebase? Would I still be creating a User model for every user?
Thanks
You can use Firebase Auth with any framework. You don't necessarily need to use custom auth. Typically, you would sign in the user on the client, get the ID token by calling firebase.auth().currentUser.getIdToken() and then pass the ID token to your server, verify it and parse its payload identifying the user ID and its other claims by using the Firebase Admin SDKs and then you can issue a session cookie identifying the user associated with that ID token.
On signout, you would clear that session cookie.
If you also need to persist that user on the backend after setting the session cookie, you can also use the Firebase Admin SDK to lookup a user identified by the user ID or just use the token claims to populate the user without any network call. You can populate that in the user model of associated framework if needed.
For more on session management, you can refer to this django documentation: https://docs.djangoproject.com/en/3.0/topics/http/sessions/
How to get django user session objects from user id or email?
I am stuck with a problem for a particular user, he gets logged out from the system very frequently. I need to get the list of session objects for a particular user.
Session object is accessible by session_key, which is random string. It's generated on server side and stored in client side in Cookie. So it's impossible to identify user by session.
I have a multi-page Django signup process in which a user goes through the following steps:
Create an account (username, password)
Create a profile
Upload a photo
Review and approve/change profile and photo
Pass username and user ID to payment processor
Receive "Payment OK or Payment not OK" signal from payment processor
Log user in if "Payment OK" and display website's "home" page.
In step 1 above, the user's ID and a couple of other pieces of information are stored in a session. They're then examined when necessary during steps 2 through 4. The user ID and username will also be passed to the payment processor in step 5. I'm thinking of setting the session timeout period to either 30 minutes or an hour. Here's my question. Should I read and re-assign the session variables when the user GETs each of the above pages in order to help the user avoid having their session timed out? The Django documentation says Django only saves a session when the session has been modified (i.e. when any of the dictionary values have been assigned or deleted). I'm thinking that if I "refresh" the user's session as they move from page to page, it will be less likely that they'll be timed out and will thus experience a smoother signup process.
Any advice? Thanks.
There's SESSION_SAVE_EVERY_REQUEST setting that saves session and sends session cookie with every request, effectively turning session into sliding expiration session (btw, it's a widespread name for what you want to achieve)
Refer to session docs for details
I am trying to access a passport protected page of my Express.js app with a Phantom.js script.
How can I simulate a logged in user without knowing the passport?
I am using Passport.js as a auth library with LocalStrategy and MongoStore to safe the sessions in the mongo database. I am wondering if I can create a record in the sessions collection and set a generated cookie with Phantom.js (phantom.addCookie(...)) to simulate a specific logged in user without the password of the user?
Can I generate the content of the of the connect.sid cookie for a specific user in the backend and add it to phantom.js in order to simulate a logged in user?
Findings:
I figured out that Passport.js uses the Cookie-Signature node module to sign the cookie content and I assume Express.js uses the Connect cookie and session middleware to handle the cookie and session creation and insert them into the HTTP headers.
using javascript, you should be able to fill in your login fields and submit. (simulating a user login, not trying to recreate a login cookie)
that would probably be your best bet.
for how to fill in forms, see:
How to fill in form field, and submit, using javascript?
Automatic form fill using javascript
How can I do this
request.session['key'] = 'value'
for the user which user_id is 47?
Keep in mind that I'm not currently logged in with that user, I want to do it in shell.
See the section of the Session docs entitled "Using sessions out of views".
The problem though is that Django doesn't store the user with the session (by design, for security purposes). So the only way to retrieve a session is through it's key. That key is stored with the user's client and passed to the server to associate the session with the logged in user. In other words, you're going to have a hard time determining which session belongs to which user.
More to the point, the session data is actually encrypted in the database as well, so there's not even any way to query directly for the user id stored in it. The following will work, but you'll have to query each session one by one to get the right user. Depending on how many sessions your database currently has, this could be extremely expensive. Mark as USE AT YOUR OWN RISK
from django.contrib.sessions.models import Session
from django.contrib.sessions.backends.db import SessionStore
for session in Session.objects.all():
data = SessionStore().decode(session.session_data)
if data.get('_auth_user_id') == user_id_you_want:
user_session = SessionStore(session_key=session.session_key)
# you can modify the session data here like normal, then:
user_session.save()
The answer depends entirely on the session storage/engine you're using.
So, the generic answer would be: Wherever the session is being stored, modify it there.
For the database backend: UPDATE django_session SET session_data=[whatever] WHERE session_key=[whatever];
You'll also need the session key and the AES key stored in the client browser.
Alternatively, send them to a controller that updates the session.