I have a django blog project and a chat in PHP.
I need to share the id of the user logged in django ( request.user.id ) with the chat in PHP.
Is this possible ?
I don't think using sessions in this way is a good idea, since they're designed to keep data temporarily for a certain user in an application. It might be a better idea to store the id in a cookie and read that in the chat, or pass a variable in the link.
You could use HTTP authentication for this. As long as both applications are on the same domain and the realm name (sent in the WWW-Authenticate header) is the same for both, once a use logs into one or the other application, the REMOTE_USER variable will be available to both and will contain the username of the person logged in.
See http://groups.google.com/group/django-users/msg/a492cb9394b0db4d for one answer
Related
I'm developing a login page for a very small site, and for the "remember me button",
I use the user-id which then I encrypt before placing it in the cookie, and when i want to check if he already has a cookie, i uncrypt the value and connect with the user-id given.
But I'm sure that's not secured enough and people will just have to set a cookie with a random value with encrypting and this will make the job, isn't it ?
As solution to this could be to generate a random token, put it in cookie and in database. Then, if you have the token, you can connect.
If user get stolen this token, this is not the page problem isn't it ?
But I don't know how to process differently..
Anyone has a solution ?
To simply answer the asked question: You can't.
Cookies are stored on the users computer and with enough access rights and/or knowledge the user will be able to delete or modify any cookies your website set.
Encryption is taking information and make into non-sense so no one can access the information. If you need encryption is up to you. But I think this kind of session management is implemented already in a lot of ways. One of the simpler would be some kind of "dynamic API Token"-implementation - Storing some kind of Hash-like String in the cookie and in DB. If they match -> login, if not -> logout. (Symfony example: https://symfony.com/doc/current/security/custom_authenticator.html )
Another one would be JWT (JSON Web Tokens), these are indeed encrypted because they send information back and forth.
If you want to implement something like this yourself I would suggest to look at documentation about these two to start.
I need to make a script to authorize a user to browse a certain part of a site. That user has a software installed that make a url call. that's it. After that I know the user is authorized. How can I make my browser aware if the user has made or not that request? Is there a way? with cookies or http authentication?
Thank you
You know about sessions? You could e.g use a PHP Script. Writing all about sessions would be too much to explain here ... but try e.g. searching for php sessions.
You need to use sessions. Here is an example using sessions and MySQL to authenticate users: http://www.dreamincode.net/code/snippet1153.htm
PHP sestion is one of the solutions (The easy one) to authorise and identify the user.
Check this tutorial: http://www.tizag.com/phpT/phpsessions.php.
other option is HTTP authentication with PHP.
http://php.net/manual/en/features.http-auth.php
I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.
I currently have a website that allows my visitors to login via a simple script i've pasted together and wrote. Currently I only use sessions to keep visitors logged in. Are there any advantages to adding cookies to my website to store user logged in status?
Or is there a better way altogether?
using PHP
If you are using PHP sessions then you are using cookies. PHP stores session ID in cookies and the session data to a file on the disk on your web server.
#Ramiro Gonzalez Maciel he said he has made that script, he doesn't need frameworks to take as examples. Frameworks usually have scripts wrapped up and well placed.
To respond that question:
I usually store in cookie some md5 strings that are combined from his md5(password) and his username so I'll know next tim he enters my website that is was logged in so I wouldn't make him login again
my example:
<?php
$username = $_POST['username'];
$password = $_POST['password'];
// sql and escape stuff witch will return 1 if he has entered a valid login
if($sqlreturn == 1){
// do login
$wraplogin = md5($username."-".md5($password)."-".SECRET_KEY); // I always define a define('SECRET_KEY', 'mysecretkey'); in global file.
// now you can store that $wraplogin in cookies and remember his login. Next time he enters the website, you read that cookie, compare it with what you have in your database and let him in.
}
?>
Now I know that is not the best example, but I've personally used it in very large websites (>500.000 users) and none has hacked in yet :)
That's the advantage in cookies for the login part.
Best of luck.
The web frameworks ( Java Servlets and others ) usually use cookies to identify sessions; the other usual option is URL parameters. So assuming you're using any web framework, it's probably already using cookies to store the session id. The Web Framework will use this ID to identify the Session object in every request. Although cookies survive server restarts, since they're stored in the browser, Session objects usually don't unless you've configured Session persistence.
If you want to users to "auto login" as in the usual "rembember me" option many web sites implement, you would have to persist Session objects if your framework provides that. Or implement a similar system, using cookies to store a "logged in token", and checking that token when the user access the system to auto-log them or send them to a login page. ( Edit: like Mihai proposes in other answer )
If you want to implement your own method, I suggest checking how the popular web frameworks implement this, specially the security and privacy aspects of storing user data in cookies.
Say I have an ASP.NET webpage and I also have a PHP Blog/BBS/Website. I want all logins to be done via the ASP.NET webpage. The ASP.NET Session State is stored in SQL. Is there any way I can read/decode the Session State from PHP to tell if a user is logged on if I have the Session State cookie?
I don't think there's a supported way. You could reverse-engineer the store, but the database format may change with next .NET service pack and youe a'd be screwed then.
The only safe way would be to implement your own session state provider so you could guarantee that the database format doesn't change.
If all you need is to verify that the user is authenticated, it would be probably easier to send the user an encrypted cookie with the username and decrypt it in the PHP app.
I have never tried this but if you provided a simple web service that is part of your asp.net application but only accessable from your PHP site. You should now be able to read anything that is in session via the web serivce.
this is looks tricky, but try reading here. the issue here is know the way in what asp encodes and save the session, if you can read that format, this may help.
another way I'm thinking is to create a request to some "login" page form asp to php, where you send the login credentials and the php file creates the session, but this could be not secure if you leave it open, and also could be slow, since another request is necessary.
on the other hand I saw few sites, where once you are logged in, for example in the main site and you want to go to the forums, you click on some link that submit a form to the php login page (credentials are "harcoded" for that user in that session) and the php page login you like the "regular" behavior.
hope to be clear
Unless you specifically need full access to the entire asp.net session state, you may be better off just storing the particular pieces of information that you know both apps need to share in a shared database or file directly.
That way you can ignore most of the complexities of an asp.net session and just pick and choose the specific pieces data your apps need share with each other.