Authentication

826 views

Published on

Published in: Technology, Self Improvement
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
826
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Authentication

    1. 1. Cookies, Sessions andUser Authentication Thierry Sans
    2. 2. Today, we will• bake cookies• and use cookies to implement sessions• and use sessions to authenticate users• and define user’s permissions
    3. 3. Before we start
    4. 4. Security assumptionsClient Side Server SideWeb Browser Web Server Database
    5. 5. Security assumptions You have absolutely no control on the clientClient Side Server SideWeb Browser Web Server Database
    6. 6. Cookies
    7. 7. The big picture key/value pairs dataClient Side Server Side HTTP request HTTP response HTTP request HTTP responseWeb Browser Web Server
    8. 8. Cookies• Cookies are pieces of data sent back and forth between the browser and the server in HTTP request and response
    9. 9. Anatomy of a Cookie• Text data (Up to 4kb)• May (or may not) have an expiration date• Can be manipulated from the client and the server
    10. 10. What cookies are useful for?• Shopping cart• Browsing preferences• “Remember me on this computer”• User authentication
    11. 11. Manipulating cookies• A cookie can be modified • on the server side - Django • on the client side - jQuery Cookie plugin
    12. 12. Remember the search input (in Javascript) WebDirectory/static/js/init.js function search(){ var input = $.trim($("input[name=search]").val()); $.cookie(keywords, input); storing data WebDirectory/static/js/init.js function init(){ if ($.cookie("keywords")){ $("input[name=search]").val($.cookie("keywords")); search(); } } retrieving data
    13. 13. Remember the number of visits (in Django) WebDirectory/views.py def index(request): entry_list = Entry.objects.all() retrieving data if nb_visits in request.COOKIES: n = int(request.COOKIES[nb_visits]) + 1 else: n = 1 response = render_to_response(WebDirectory/index.html, {entry_list: entry_list, nb_visits: n}) response.set_cookie(nb_visits, value=n, max_age=None, expires=None, path=/webdirectory/, domain=None, secure=None, httponly=False) return response storing data
    14. 14. Firefox - debugging (and hacking) cookies
    15. 15. Hacking cookiesThe user can create, modify, delete key/value pairs in cookies
    16. 16. Sessions
    17. 17. The big picture session idClient Side Server Side HTTP request HTTP response HTTP request HTTP responseWeb Browser Web Server key/value pairs data
    18. 18. The concept of session• There is a session id (aka token) between the browser and the web application• This session id should be unique and unforgeable (usually a long random number or a hash)• This session id is bind to key/value pairs data
    19. 19. Where sessions values are stored• Session ID is stored in a cookie• Session key/value pairs are stored on the server in the database with Django
    20. 20. Remember the number of visits using sessions WebDirectory/views.py def index(request): if nb_visits in request.session: n = int(request.session[nb_visits]) + 1 else: n = 1 retrieving data request.session[nb_visits] = n response = render_to_response(WebDirectory/index.html, {entry_list: entry_list, nb_visits: n}) return response storing data
    21. 21. Hacking sessionsThe user can create, modify, delete the session ID in the cookieBut cannot access the key/value pairs stored on the server
    22. 22. Clearing the session delete the cookie Dirty (but the session values are still on the server) use flush() in the view to delete the current Program session data and regenerate the session key django-admin.py cleanup Command deletes any session in the session table whose expire_date is in the past
    23. 23. User Authentication
    24. 24. The simple recipe for user authentication1. Ask the user for a login and password and send it to the server (HTTP/POST request)2. Verify the login/password based on information stored on the server (usually in the database)3. Start a session if the login password matches i.e. once the user has been successfully authenticated4. Grant access to resources according to the session
    25. 25. Django login/logout urls Django predefined login view WebDirectory/urls.pyurlpatterns += patterns(, (r^login/$, django.contrib.auth.views.login, {template_name: WebDirectory/login.html}), (r^logout/$, WebDirectory.views.logout_view)) User’s defined login page User defined logout view
    26. 26. Or your can manage your own login view examplefrom django.contrib.auth import authenticate, logindef login_view(request): username = request.POST[username] password = request.POST[password] user = authenticate(username=username, password=password) if user is not None: if user.is_active: login(request, user) # Redirect to a success page. else: # Return a disabled account error message else: # Return an invalid login error message.
    27. 27. Logout WebDirectory/views.pyfrom django.contrib.auth import logoutdef logout_view(request): logout(request) return HttpResponseRedirect(reverse(WebDirectory.views.index,))
    28. 28. Protecting resources• Certain views might be accessible by the authenticated users only
    29. 29. Version 1 - using the template{% if user.is_authenticated %} <p>Welcome, {{ user.username }}. Thanks for logging in.</p>{% else %} <p>Welcome, new user. Please log in.</p>{% endif %}
    30. 30. Version 2 - using the viewsdef index(request): if request.user.is_authenticated(): # Do something for authenticated users. else: # Do something for anonymous users.
    31. 31. Version 3 - using a decorator in the viewfrom django.contrib.auth.decorators import login_required@login_required(login_url=/myapp/login/)def index(request): # Do something for authenticated users.
    32. 32. WebDirectory - security policy1. Only authenticated users can see the web gallery
    33. 33. WebDirectory WebDirectory/views.py@login_required(login_url=/webdirectory/login/)def index(request): entry_list = Entry.objects.all() ...
    34. 34. WebDirectory WebDirectory/views.py@login_required(login_url=/webdirectory/login/)def index(request): entry_list = Entry.objects.all() ... But, we must also protect all the other views: • getImage • add • search
    35. 35. Authorization
    36. 36. WebDirectory - security policy1. Only authenticated users can see the web gallery2. Only the admin user “tsans” can add a new entry
    37. 37. Version 0 - hide the upload button (template) WebDirectory/templates/WebDirectoryindex.html{% if admin %} <a href="#" id="publisherButton" onclick="showHideUploader();return false;"> Show uploader </a> <div id="publisher"> ... ... </div>{% endif %}
    38. 38. Version 0 -hide the upload button (view) WebDirectory/views.py@login_required(login_url=/webdirectory/login/)def index(request): entry_list = Entry.objects.all() ... return render_to_response(WebDirectory/index.html, {entry_list: entry_list, request.user.username==tsans})
    39. 39. Version 0 -hide the upload button (view) WebDirectory/views.py@login_required(login_url=/webdirectory/login/)def index(request): entry_list = Entry.objects.all() ... return render_to_response(WebDirectory/index.html, {entry_list: entry_list, request.user.username==tsans}) This is absolutely not secure enough !!!
    40. 40. Version 1 - protecting the view WebDirectory/views.py@login_required(login_url=/webdirectory/login/)def add(request): if (request.user.username == tsans) # add the entry to the database else: raise Http500
    41. 41. Django permissions• Based on the Django admin features, the model Entity predefines 3 permissions: • Entry.add_entry • Entry.change_entry • Entry.delete_entry
    42. 42. Version 2 - using permissions in the view WebDirectory/views.py@login_required(login_url=/webdirectory/login/)def add(request): if request.user.has_perm(Entry.add_entity): # add the entry to the database else: raise Http500
    43. 43. Version 3 - - using a decorator in the view WebDirectory/views.py@permission_required(Entry.add_entry)def add(request): # add the entry to the database
    44. 44. Define custom permissions exampleclass Task(models.Model): ... class Meta: permissions = ( ("view_task", "Can see available tasks"), ("change_task_status", "Can change the status of tasks"), ("close_task", "Can close a task"), )
    45. 45. Summary• What is the difference between a cookie and a session?• How are users authenticated?• What is the difference between authentication and authorization?

    ×