I'm trying to build a auto-logout function in a Django application.
Basically, with each request to the site I want to set the current timestamp in the session (if not set), and then checking that value with the current time. If the difference is too great, it should redirect to logout.
Is there a easy way to set the session on each request without adding a function to each of my views?
I know it's possible to use sessions outside views, but then I have to supply the session_key, and I'm not sure where I should get it from, or generate it myself.
I'm not sure what timestamp you are comparing with what here, or why.
The usual way to manage auto-logout is to simply set a short expiry on the session cookie, via the SESSION_COOKIE_AGE setting. If the cookie expires, the user will automatically be redirected to the login page if they try and access a page that requires authentication.
Related
I have an Electron application and I use a webview to login google to use some functions of a website. Each user can login with him account and will have his functions. When they login, a cookie has ben set to keep the session. But when I logout from this user and login with another in my application, the cookie continues set. I try to use store to save al user cookies but when I try to set them again I've seen that there are a protected Cookie called "__Host-GAPS".
As I read all cookies starting with "__Host" and "__Secure" are protected and only can be initialized without domain. But I need the domain, because the original cookie has it, and if I don't put it, I lose the session. When I put the domain I receive this error: "Failed to parse cookie".
I also tried to create a session from partition, but the cookies never saves on this new session, always on the default session.
I create a new BrowserWindow setting the partition session on webPreferences.
Can anyone helps me? Which is the best way to separate the cookies of each user? How can I restore protected cookies?
Thank you
Finally I found the solution. The best way to do this is to use partition in the webview. I use the next code:
<webview id="myWebview" style="height: 600px;" src="https://website.com" partition="getPartition()"></webview>
Where getPartition() function returns 'perist:' + userToken.
from http://getblimp.github.io/django-rest-framework-jwt/#refresh-token
Each time the user loads the page, you can check if there is an existing non-expired token and if it's close to being expired, refresh it to extend their session. In other words, if a user is actively using your site, they can keep their "session" alive.
Can anyone explain to me how we can implement client-side like that?
Define your expiration time delta and set it in your Django settings and client-side code.
Authorize to your app, you should receive valid token.
Store that token and current timestamp in localStorage.
Then on each page loading (or with setInterval schedule) check if delta between that timestamp and now (use moment.js for that) is closing to expiration value and refresh token if required.
If token refreshing passed well repeat step 3 and 4.
I need to clear a concept.
I'm tracking unauthenticated users in my Django social networking web-app via setting a temp_id that's set in the request.session dictionary as soon as a new user hits the web-app's landing page. The code is is simply:
temp_id = request.session.get('temp_id',None)
if not temp_id:
request.session['temp_id'] = get_temp_id()
So far so good.
Apart from saving a temp_id in request.session, another technique I could have used is setting a browser cookie explicitly for unauthenticated users like so:
if not request.session.exists(request.session.session_key):
request.session.create()
The concept I'd like to clarify is are these approaches equivalent?
I feel they are. My reasoning is: if a browser cookie is just a reference to a Session stored in the DB, then if cookies were turned off, matching a Session for that user would be impossible. So regardless of whichever approach I take, I'll be relying on the browser's ability to store a cookie.
Or in other words, both methods of allotting a temp_id to an unauthenticated user are, under the hood, quite similar. The only difference is that browser cookies are less secure than session variables (over HTTPS).
Can someone point out whether this line of thinking is correct? Or is my approach wrong? I'm essentially trying to ascertain which approach to take for reliably tracking unauthenticated users once they hit my app's landing page and move about.
When i try to called:
Auth::getInstance()->authenticate($email,$password)
for authenticate in login controller, i called Auth::getInstance()->isAuthenticated() and get result bool(true). Then i go redirect to another page, Auth::getInstance()->isAuthenticated() give bool(false). After i use this authentication, how can i get the session is already bool(true) at any page after that until i'm Auth::getInstance()->unauthenticate() that session or make it global for the session? Currently i'm using session database.
Problem : How to authenticate the current user after redirect to another page?
Without knowing more about your code, I can predict a couple of possible sources of this type of behavior...
1) You're not writing the fact that the user is authenticated to your session/cookie, so the second page request isn't aware of the result of the first one.
2) If the authentication is successful on the first page (and you record this in the session/cookie), and the redirection happens, but you redirect back to a page already seen by the user (e.g. Homepage -> Login page -> Homepage) then your browser might be loading it out of it's local cache rather than fetching the new (authenticated) page from the server.
Try dumping your session variables to the browser to see if the authentication result is being preserved between requests, and try appending a timestamp on the redirection url or using headers to prevent client side caching. This will at least allow you to narrow down, or eliminate these two options.
The Auth plugin already manages all session control for authentication without any additional effort from the developer.
The problem you are facing could likely be because the session is not starting for some reason. This could be because Nuclio isn't detecting that it is being run from a browser. Nuclio detects this by checking REMOTE_HOST and HTTP_HOST values in $_SERVER. If both are null, it won't start the session (to avoid generating headers on a command line).
Also make sure that your base application class is extending the Nuclio Application plugin class and NOT overriding the __construct method without calling the parent construct method as this would cause all the initialization to fail and no session will be created/resumed.
I'm trying to ping Django from a javascript frontend to find out when a user's session will expire. I'm doing this so I can proactively notify a user when their session has expired.
Unfortunately, the session expire time is updated because I'm hitting the Django app. I've tried reading the session cookie from javascript, but it is not accessible (nor recommended to be accessible) from javascript.
How can I ping my Django app from javascript to get when the session will end?
What about passing the number of seconds until session will expire directly to your template/javascript? For example, you can get it using this method in your view function and pass it further.