SlideShare a Scribd company logo

Authentication

S
soon
TechnologySelf Improvement
1 of 45
Cookies, Sessions and User Authentication Thierry Sans
Today, we will • bake cookies • and use cookies to implement sessions • and use sessions to authenticate users • and define user’s permissions
Before we start
Security assumptions Client Side Server Side Web Browser Web Server Database
Security assumptions You have absolutely no control on the client Client Side Server Side Web Browser Web Server Database
Cookies
The big picture key/value pairs data Client Side Server Side HTTP request HTTP response HTTP request HTTP response Web Browser Web Server
Cookies • Cookies are pieces of data sent back and forth between the browser and the server in HTTP request and response
Anatomy of a Cookie • Text data (Up to 4kb) • May (or may not) have an expiration date • Can be manipulated from the client and the server
What cookies are useful for? • Shopping cart • Browsing preferences • “Remember me on this computer” • User authentication
Manipulating cookies • A cookie can be modified • on the server side - Django • on the client side - jQuery Cookie plugin
Remember the search input (in Javascript) WebDirectory/static/js/init.js function search(){ var input = $.trim($("input[name='search']").val()); $.cookie('keywords', input); storing data WebDirectory/static/js/init.js function init(){ if ($.cookie("keywords")){ $("input[name='search']").val($.cookie("keywords")); search(); } } retrieving data
Remember the number of visits (in Django) WebDirectory/views.py def index(request): entry_list = Entry.objects.all() retrieving data if 'nb_visits' in request.COOKIES: n = int(request.COOKIES['nb_visits']) + 1 else: n = 1 response = render_to_response('WebDirectory/index.html', {'entry_list': entry_list, 'nb_visits': n}) response.set_cookie('nb_visits', value=n, max_age=None, expires=None, path='/webdirectory/', domain=None, secure=None, httponly=False) return response storing data
Firefox - debugging (and hacking) cookies
Hacking cookies The user can create, modify, delete key/value pairs in cookies
Sessions
The big picture session id Client Side Server Side HTTP request HTTP response HTTP request HTTP response Web Browser Web Server key/value pairs data
The concept of session • There is a session id (aka token) between the browser and the web application • This session id should be unique and unforgeable (usually a long random number or a hash) • This session id is bind to key/value pairs data
Where sessions values are stored • Session ID is stored in a cookie • Session key/value pairs are stored on the server in the database with Django
Remember the number of visits using sessions WebDirectory/views.py def index(request): if 'nb_visits' in request.session: n = int(request.session['nb_visits']) + 1 else: n = 1 retrieving data request.session['nb_visits'] = n response = render_to_response('WebDirectory/index.html', {'entry_list': entry_list, 'nb_visits': n}) return response storing data
Hacking sessions The user can create, modify, delete the session ID in the cookie But cannot access the key/value pairs stored on the server
Clearing the session delete the cookie Dirty (but the session values are still on the server) use flush() in the view to delete the current Program session data and regenerate the session key django-admin.py cleanup Command deletes any session in the session table whose expire_date is in the past
User Authentication
The simple recipe for user authentication 1. Ask the user for a login and password and send it to the server (HTTP/POST request) 2. Verify the login/password based on information stored on the server (usually in the database) 3. Start a session if the login password matches i.e. once the user has been successfully authenticated 4. Grant access to resources according to the session
Django login/logout urls Django predefined login view WebDirectory/urls.py urlpatterns += patterns('', (r'^login/$', 'django.contrib.auth.views.login', {'template_name': 'WebDirectory/login.html'}), (r'^logout/$', 'WebDirectory.views.logout_view')) User’s defined login page User defined logout view
Or your can manage your own login view example from django.contrib.auth import authenticate, login def login_view(request): username = request.POST['username'] password = request.POST['password'] user = authenticate(username=username, password=password) if user is not None: if user.is_active: login(request, user) # Redirect to a success page. else: # Return a 'disabled account' error message else: # Return an 'invalid login' error message.
Logout WebDirectory/views.py from django.contrib.auth import logout def logout_view(request): logout(request) return HttpResponseRedirect(reverse('WebDirectory.views.index',))
Protecting resources • Certain views might be accessible by the authenticated users only
Version 1 - using the template {% if user.is_authenticated %} <p>Welcome, {{ user.username }}. Thanks for logging in.</p> {% else %} <p>Welcome, new user. Please log in.</p> {% endif %}
Version 2 - using the views def index(request): if request.user.is_authenticated(): # Do something for authenticated users. else: # Do something for anonymous users.
Version 3 - using a decorator in the view from django.contrib.auth.decorators import login_required @login_required(login_url='/myapp/login/') def index(request): # Do something for authenticated users.
WebDirectory - security policy 1. Only authenticated users can see the web gallery
WebDirectory WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ...
WebDirectory WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ... But, we must also protect all the other views: • getImage • add • search
Authorization
WebDirectory - security policy 1. Only authenticated users can see the web gallery 2. Only the admin user “tsans” can add a new entry
Version 0 - hide the upload button (template) WebDirectory/templates/WebDirectoryindex.html {% if admin %} <a href="#" id="publisherButton" onclick="showHideUploader();return false;"> Show uploader </a> <div id="publisher"> ... ... </div> {% endif %}
Version 0 -hide the upload button (view) WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ... return render_to_response('WebDirectory/index.html', {'entry_list': entry_list, request.user.username=='tsans'})
Version 0 -hide the upload button (view) WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ... return render_to_response('WebDirectory/index.html', {'entry_list': entry_list, request.user.username=='tsans'}) This is absolutely not secure enough !!!
Version 1 - protecting the view WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def add(request): if (request.user.username == 'tsans') # add the entry to the database else: raise Http500
Django permissions • Based on the Django admin features, the model Entity predefines 3 permissions: • Entry.add_entry • Entry.change_entry • Entry.delete_entry
Version 2 - using permissions in the view WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def add(request): if request.user.has_perm('Entry.add_entity'): # add the entry to the database else: raise Http500
Version 3 - - using a decorator in the view WebDirectory/views.py @permission_required('Entry.add_entry') def add(request): # add the entry to the database
Define custom permissions example class Task(models.Model): ... class Meta: permissions = ( ("view_task", "Can see available tasks"), ("change_task_status", "Can change the status of tasks"), ("close_task", "Can close a task"), )
Summary • What is the difference between a cookie and a session? • How are users authenticated? • What is the difference between authentication and authorization?

Recommended

Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Zhe Li
 
Django Templates
Django TemplatesDjango Templates
Django TemplatesWilly Liu
 
WordPress Website Creation Training Course Slides
WordPress Website Creation Training Course SlidesWordPress Website Creation Training Course Slides
WordPress Website Creation Training Course SlidesEquinet Academy
 
Intro to Wordpress
Intro to WordpressIntro to Wordpress
Intro to WordpressNicole C. Engard
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsVibrant Technologies & Computers
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginnersSingsys Pte Ltd
 
Cascading Style Sheets (CSS) help
Cascading Style Sheets (CSS) helpCascading Style Sheets (CSS) help
Cascading Style Sheets (CSS) helpcasestudyhelp
 
Basic WordPress Workshop Presentation
Basic WordPress Workshop PresentationBasic WordPress Workshop Presentation
Basic WordPress Workshop PresentationFelix Albutra
 

Recommended

Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Zhe Li
 
Django Templates
Django TemplatesDjango Templates
Django TemplatesWilly Liu
 
WordPress Website Creation Training Course Slides
WordPress Website Creation Training Course SlidesWordPress Website Creation Training Course Slides
WordPress Website Creation Training Course SlidesEquinet Academy
 
Intro to Wordpress
Intro to WordpressIntro to Wordpress
Intro to WordpressNicole C. Engard
 
PHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsPHP - Introduction to PHP Cookies and Sessions
PHP - Introduction to PHP Cookies and SessionsVibrant Technologies & Computers
 
Html5 tutorial for beginners
Html5 tutorial for beginnersHtml5 tutorial for beginners
Html5 tutorial for beginnersSingsys Pte Ltd
 
Cascading Style Sheets (CSS) help
Cascading Style Sheets (CSS) helpCascading Style Sheets (CSS) help
Cascading Style Sheets (CSS) helpcasestudyhelp
 
Basic WordPress Workshop Presentation
Basic WordPress Workshop PresentationBasic WordPress Workshop Presentation
Basic WordPress Workshop PresentationFelix Albutra
 
Oops in PHP
Oops in PHPOops in PHP
Oops in PHPMindfire Solutions
 
Document Object Model
Document Object ModelDocument Object Model
Document Object Modelbaabtra.com - No. 1 supplier of quality freshers
 
Bootstrap 5 ppt
Bootstrap 5 pptBootstrap 5 ppt
Bootstrap 5 pptMallikarjuna G D
 
Introduction of Html/css/js
Introduction of Html/css/jsIntroduction of Html/css/js
Introduction of Html/css/jsKnoldus Inc.
 
WordPress what is Wordpress
WordPress what is WordpressWordPress what is Wordpress
WordPress what is WordpressShahid Husain
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeAbhishek L.R
 
WordPress Course Outline
WordPress Course OutlineWordPress Course Outline
WordPress Course OutlineIT Ki Dunya
 
Python/Flask Presentation
Python/Flask PresentationPython/Flask Presentation
Python/Flask PresentationParag Mujumdar
 
Cookie and session
Cookie and sessionCookie and session
Cookie and sessionAashish Ghale
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptxPradeepDyavannanavar
 
HTML and CSS crash course!
HTML and CSS crash course!HTML and CSS crash course!
HTML and CSS crash course!Ana Cidre
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPressLumosTech
 
CSS3 Media Queries
CSS3 Media QueriesCSS3 Media Queries
CSS3 Media QueriesRuss Weakley
 
Laravel Tutorial PPT
Laravel Tutorial PPTLaravel Tutorial PPT
Laravel Tutorial PPTPiyush Aggarwal
 
Basic WordPress for Beginner ppt
Basic WordPress for Beginner pptBasic WordPress for Beginner ppt
Basic WordPress for Beginner pptDipika Wadhvani
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Learn react-js
Learn react-jsLearn react-js
Learn react-jsC...L, NESPRESSO, WAFAASSURANCE, SOFRECOM ORANGE
 
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJSBasic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJSDeepak Upadhyay
 
Beginners Guide to Drupal
Beginners Guide to DrupalBeginners Guide to Drupal
Beginners Guide to DrupalGerald Villorente
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
Files
FilesFiles
Filessoon
 
Keller Williams Realty
Keller Williams RealtyKeller Williams Realty
Keller Williams RealtyRickBosl
 

More Related Content

What's hot

Introduction of Html/css/js
Introduction of Html/css/jsIntroduction of Html/css/js
Introduction of Html/css/jsKnoldus Inc.
 
WordPress what is Wordpress
WordPress what is WordpressWordPress what is Wordpress
WordPress what is WordpressShahid Husain
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeAbhishek L.R
 
WordPress Course Outline
WordPress Course OutlineWordPress Course Outline
WordPress Course OutlineIT Ki Dunya
 
Python/Flask Presentation
Python/Flask PresentationPython/Flask Presentation
Python/Flask PresentationParag Mujumdar
 
HTML and CSS crash course!
HTML and CSS crash course!HTML and CSS crash course!
HTML and CSS crash course!Ana Cidre
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPressLumosTech
 
CSS3 Media Queries
CSS3 Media QueriesCSS3 Media Queries
CSS3 Media QueriesRuss Weakley
 
Basic WordPress for Beginner ppt
Basic WordPress for Beginner pptBasic WordPress for Beginner ppt
Basic WordPress for Beginner pptDipika Wadhvani
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web APIhabib_786
 
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJSBasic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJSDeepak Upadhyay
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 

What's hot (20)

Oops in PHP
Oops in PHPOops in PHP
Oops in PHP
 
Document Object Model
Document Object ModelDocument Object Model
Document Object Model
 
Bootstrap 5 ppt
Bootstrap 5 pptBootstrap 5 ppt
Bootstrap 5 ppt
 
Introduction of Html/css/js
Introduction of Html/css/jsIntroduction of Html/css/js
Introduction of Html/css/js
 
WordPress what is Wordpress
WordPress what is WordpressWordPress what is Wordpress
WordPress what is Wordpress
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status Code
 
WordPress Course Outline
WordPress Course OutlineWordPress Course Outline
WordPress Course Outline
 
Python/Flask Presentation
Python/Flask PresentationPython/Flask Presentation
Python/Flask Presentation
 
Cookie and session
Cookie and sessionCookie and session
Cookie and session
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
HTML and CSS crash course!
HTML and CSS crash course!HTML and CSS crash course!
HTML and CSS crash course!
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPress
 
CSS3 Media Queries
CSS3 Media QueriesCSS3 Media Queries
CSS3 Media Queries
 
Laravel Tutorial PPT
Laravel Tutorial PPTLaravel Tutorial PPT
Laravel Tutorial PPT
 
Basic WordPress for Beginner ppt
Basic WordPress for Beginner pptBasic WordPress for Beginner ppt
Basic WordPress for Beginner ppt
 
ASP.NET Web API
ASP.NET Web APIASP.NET Web API
ASP.NET Web API
 
Learn react-js
Learn react-jsLearn react-js
Learn react-js
 
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJSBasic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
Basic of HTML, CSS(StyleSheet), JavaScript(js), Bootstrap, JSON & AngularJS
 
Beginners Guide to Drupal
Beginners Guide to DrupalBeginners Guide to Drupal
Beginners Guide to Drupal
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
 

Viewers also liked

Files
FilesFiles
Filessoon
 
Keller Williams Realty
Keller Williams RealtyKeller Williams Realty
Keller Williams RealtyRickBosl
 
Admin
AdminAdmin
Adminsoon
 
October - Corporatre Presentation
October - Corporatre PresentationOctober - Corporatre Presentation
October - Corporatre Presentationglevel
 
Google
GoogleGoogle
Googlesoon
 
Deploying
DeployingDeploying
Deployingsoon
 

Viewers also liked (8)

Files
FilesFiles
Files
 
Keller Williams Realty
Keller Williams RealtyKeller Williams Realty
Keller Williams Realty
 
Wedium coffav
Wedium coffavWedium coffav
Wedium coffav
 
Admin
AdminAdmin
Admin
 
October - Corporatre Presentation
October - Corporatre PresentationOctober - Corporatre Presentation
October - Corporatre Presentation
 
Fostering Online Networks
Fostering Online NetworksFostering Online Networks
Fostering Online Networks
 
Google
GoogleGoogle
Google
 
Deploying
DeployingDeploying
Deploying
 

Similar to Authentication

How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppBen Adida
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3Neeraj Mathur
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii FrameworkTuan Nguyen
 
PHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfPHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfHumphreyOwuor1
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code HardeningOdoo
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerFrancois Marier
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudJonghyun Park
 
PHPConf-TW 2012 # Twig
PHPConf-TW 2012 # TwigPHPConf-TW 2012 # Twig
PHPConf-TW 2012 # TwigWake Liu
 
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJSAngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJSmurtazahaveliwala
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5Tieturi Oy
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsFrancois Marier
 
Let's read code: the python-requests library
Let's read code: the python-requests libraryLet's read code: the python-requests library
Let's read code: the python-requests librarySusan Tan
 
Django Class-based views (Slovenian)
Django Class-based views (Slovenian)Django Class-based views (Slovenian)
Django Class-based views (Slovenian)Luka Zakrajšek
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 

Similar to Authentication (20)

How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
 
Ecom2
Ecom2Ecom2
Ecom2
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 
ASP.Net Presentation Part3
ASP.Net Presentation Part3ASP.Net Presentation Part3
ASP.Net Presentation Part3
 
Introduction Yii Framework
Introduction Yii FrameworkIntroduction Yii Framework
Introduction Yii Framework
 
PHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdfPHP-Cookies-Sessions.pdf
PHP-Cookies-Sessions.pdf
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Php sessions & cookies
Php sessions & cookiesPhp sessions & cookies
Php sessions & cookies
 
Security: Odoo Code Hardening
Security: Odoo Code HardeningSecurity: Odoo Code Hardening
Security: Odoo Code Hardening
 
Passwords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answerPasswords suck, but centralized proprietary services are not the answer
Passwords suck, but centralized proprietary services are not the answer
 
4.4 PHP Session
4.4 PHP Session4.4 PHP Session
4.4 PHP Session
 
Automating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on CloudAutomating Django Functional Tests Using Selenium on Cloud
Automating Django Functional Tests Using Selenium on Cloud
 
PHPConf-TW 2012 # Twig
PHPConf-TW 2012 # TwigPHPConf-TW 2012 # Twig
PHPConf-TW 2012 # Twig
 
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJSAngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
AngularJS training - Day 1 - Basics: Why, What and basic features of AngularJS
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
 
Persona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwordsPersona: in your browsers, killing your passwords
Persona: in your browsers, killing your passwords
 
Introduction to Django
Introduction to DjangoIntroduction to Django
Introduction to Django
 
Let's read code: the python-requests library
Let's read code: the python-requests libraryLet's read code: the python-requests library
Let's read code: the python-requests library
 
Django Class-based views (Slovenian)
Django Class-based views (Slovenian)Django Class-based views (Slovenian)
Django Class-based views (Slovenian)
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 

Recently uploaded

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 

Recently uploaded (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 

Authentication

  • 1. Cookies, Sessions and User Authentication Thierry Sans
  • 2. Today, we will • bake cookies • and use cookies to implement sessions • and use sessions to authenticate users • and define user’s permissions
  • 4. Security assumptions Client Side Server Side Web Browser Web Server Database
  • 5. Security assumptions You have absolutely no control on the client Client Side Server Side Web Browser Web Server Database
  • 7. The big picture key/value pairs data Client Side Server Side HTTP request HTTP response HTTP request HTTP response Web Browser Web Server
  • 8. Cookies • Cookies are pieces of data sent back and forth between the browser and the server in HTTP request and response
  • 9. Anatomy of a Cookie • Text data (Up to 4kb) • May (or may not) have an expiration date • Can be manipulated from the client and the server
  • 10. What cookies are useful for? • Shopping cart • Browsing preferences • “Remember me on this computer” • User authentication
  • 11. Manipulating cookies • A cookie can be modified • on the server side - Django • on the client side - jQuery Cookie plugin
  • 12. Remember the search input (in Javascript) WebDirectory/static/js/init.js function search(){ var input = $.trim($("input[name='search']").val()); $.cookie('keywords', input); storing data WebDirectory/static/js/init.js function init(){ if ($.cookie("keywords")){ $("input[name='search']").val($.cookie("keywords")); search(); } } retrieving data
  • 13. Remember the number of visits (in Django) WebDirectory/views.py def index(request): entry_list = Entry.objects.all() retrieving data if 'nb_visits' in request.COOKIES: n = int(request.COOKIES['nb_visits']) + 1 else: n = 1 response = render_to_response('WebDirectory/index.html', {'entry_list': entry_list, 'nb_visits': n}) response.set_cookie('nb_visits', value=n, max_age=None, expires=None, path='/webdirectory/', domain=None, secure=None, httponly=False) return response storing data
  • 14. Firefox - debugging (and hacking) cookies
  • 15. Hacking cookies The user can create, modify, delete key/value pairs in cookies
  • 17. The big picture session id Client Side Server Side HTTP request HTTP response HTTP request HTTP response Web Browser Web Server key/value pairs data
  • 18. The concept of session • There is a session id (aka token) between the browser and the web application • This session id should be unique and unforgeable (usually a long random number or a hash) • This session id is bind to key/value pairs data
  • 19. Where sessions values are stored • Session ID is stored in a cookie • Session key/value pairs are stored on the server in the database with Django
  • 20. Remember the number of visits using sessions WebDirectory/views.py def index(request): if 'nb_visits' in request.session: n = int(request.session['nb_visits']) + 1 else: n = 1 retrieving data request.session['nb_visits'] = n response = render_to_response('WebDirectory/index.html', {'entry_list': entry_list, 'nb_visits': n}) return response storing data
  • 21. Hacking sessions The user can create, modify, delete the session ID in the cookie But cannot access the key/value pairs stored on the server
  • 22. Clearing the session delete the cookie Dirty (but the session values are still on the server) use flush() in the view to delete the current Program session data and regenerate the session key django-admin.py cleanup Command deletes any session in the session table whose expire_date is in the past
  • 24. The simple recipe for user authentication 1. Ask the user for a login and password and send it to the server (HTTP/POST request) 2. Verify the login/password based on information stored on the server (usually in the database) 3. Start a session if the login password matches i.e. once the user has been successfully authenticated 4. Grant access to resources according to the session
  • 25. Django login/logout urls Django predefined login view WebDirectory/urls.py urlpatterns += patterns('', (r'^login/$', 'django.contrib.auth.views.login', {'template_name': 'WebDirectory/login.html'}), (r'^logout/$', 'WebDirectory.views.logout_view')) User’s defined login page User defined logout view
  • 26. Or your can manage your own login view example from django.contrib.auth import authenticate, login def login_view(request): username = request.POST['username'] password = request.POST['password'] user = authenticate(username=username, password=password) if user is not None: if user.is_active: login(request, user) # Redirect to a success page. else: # Return a 'disabled account' error message else: # Return an 'invalid login' error message.
  • 27. Logout WebDirectory/views.py from django.contrib.auth import logout def logout_view(request): logout(request) return HttpResponseRedirect(reverse('WebDirectory.views.index',))
  • 28. Protecting resources • Certain views might be accessible by the authenticated users only
  • 29. Version 1 - using the template {% if user.is_authenticated %} <p>Welcome, {{ user.username }}. Thanks for logging in.</p> {% else %} <p>Welcome, new user. Please log in.</p> {% endif %}
  • 30. Version 2 - using the views def index(request): if request.user.is_authenticated(): # Do something for authenticated users. else: # Do something for anonymous users.
  • 31. Version 3 - using a decorator in the view from django.contrib.auth.decorators import login_required @login_required(login_url='/myapp/login/') def index(request): # Do something for authenticated users.
  • 32. WebDirectory - security policy 1. Only authenticated users can see the web gallery
  • 33. WebDirectory WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ...
  • 34. WebDirectory WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ... But, we must also protect all the other views: • getImage • add • search
  • 36. WebDirectory - security policy 1. Only authenticated users can see the web gallery 2. Only the admin user “tsans” can add a new entry
  • 37. Version 0 - hide the upload button (template) WebDirectory/templates/WebDirectoryindex.html {% if admin %} <a href="#" id="publisherButton" onclick="showHideUploader();return false;"> Show uploader </a> <div id="publisher"> ... ... </div> {% endif %}
  • 38. Version 0 -hide the upload button (view) WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ... return render_to_response('WebDirectory/index.html', {'entry_list': entry_list, request.user.username=='tsans'})
  • 39. Version 0 -hide the upload button (view) WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def index(request): entry_list = Entry.objects.all() ... return render_to_response('WebDirectory/index.html', {'entry_list': entry_list, request.user.username=='tsans'}) This is absolutely not secure enough !!!
  • 40. Version 1 - protecting the view WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def add(request): if (request.user.username == 'tsans') # add the entry to the database else: raise Http500
  • 41. Django permissions • Based on the Django admin features, the model Entity predefines 3 permissions: • Entry.add_entry • Entry.change_entry • Entry.delete_entry
  • 42. Version 2 - using permissions in the view WebDirectory/views.py @login_required(login_url='/webdirectory/login/') def add(request): if request.user.has_perm('Entry.add_entity'): # add the entry to the database else: raise Http500
  • 43. Version 3 - - using a decorator in the view WebDirectory/views.py @permission_required('Entry.add_entry') def add(request): # add the entry to the database
  • 44. Define custom permissions example class Task(models.Model): ... class Meta: permissions = ( ("view_task", "Can see available tasks"), ("change_task_status", "Can change the status of tasks"), ("close_task", "Can close a task"), )
  • 45. Summary • What is the difference between a cookie and a session? • How are users authenticated? • What is the difference between authentication and authorization?

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n