15-437 Authentication

Transcript

1. Cookies, Sessions and
   User Authentication Thierry Sans

2. Today, we will • eat cookies and understand how they

   work • use cookies to implement sessions • use sessions to authenticate users • define user’s permissions

3. Before we start

4. Security assumptions Server Side Client Side Web Server Database Web

   Browser You have absolutely no control on the client

5. Cookies

6. The big picture Server Side Client Side Web Server Web

   Browser HTTP request HTTP response HTTP request HTTP response key/value pairs data

7. Cookies Cookies are pieces of data sent back and forth

   between the browser and the server in HTTP request and response

8. Anatomy of a Cookie • Text data (Up to 4kb)

   • May (or may not) have an expiration date • Can be manipulated from the client and the server

9. What cookies are useful for? • Shopping cart • Browsing

   preferences • “Remember me on this computer” • User authentication • Tracking and advertisement

10. Manipulating cookies A cookie can be modified • on the

    server side - Django • on the client side - jQuery Cookie plugin
 
 http://plugins.jquery.com/cookie/

11. Remember the search input (in Javascript) var input = $.trim($("input[name=filter]").val());

    $.cookie('keywords', input); if ($.cookie("keywords")){ $("input[name=filter]").val($.cookie("keywords")); } } WebDirectory/static/js/init.js WebDirectory/static/js/init.js storing data retrieving data

12. Remember the number of visits (in Django) def index(request): if

    'nb_visits' in request.COOKIES: n = int(request.COOKIES['nb_visits']) + 1 else: n = 1 response = render(request, 'WebDirectory/index.html', {'nb_visits': n}) response.set_cookie('nb_visits', value=n, max_age=None, expires=None, path='/webdirectory/', domain=None, secure=None, httponly=False) return response WebDirectory/views.py storing data retrieving data

13. Hacking cookies The user can create, modify, delete key/value pairs

    in cookies

14. Sessions

15. The big picture Server Side Client Side Web Server Web

    Browser HTTP request HTTP response HTTP request HTTP response session id key/value pairs data

16. The concept of session • There is a session id

    (aka token) 
 between the browser and the web application • This session id should be unique and unforgeable 
 (usually a long random number or a hash) • This session id is bind to key/value pairs data

17. Where sessions values are stored • Session ID is stored

    in a cookie • Session key/value pairs are stored on the server in the database with Django

18. Remember the number of visits using sessions def index(request): if

    'nb_visits' in request.session: n = int(request.session['nb_visits']) + 1 else: n = 1 request.session['nb_visits'] = n response = render_to_response('WebDirectory/index.html', {'entry_list': entry_list, 'nb_visits': n}) return response WebDirectory/views.py storing data retrieving data

19. Hacking sessions The user can create, modify, delete the session

    ID in the cookie But cannot access the key/value pairs stored on the server

20. Clearing the session Dirty delete the cookie 
 (but the

    session values are still on the server) Program use flush() in the view to delete the current session data and regenerate the session key Command python manage.py clearsessions 
 deletes any session in the session table whose expire_date is in the past

21. User Authentication

22. The simple recipe for user authentication 1.Ask the user for

    a login and password and send it to the server (HTTP POST request) 2.Verify the login/password based on information stored on the server (usually in the database) 3.Start a session if the login password matches i.e. once the user has been successfully authenticated 4.Grant access to resources according to the session

23. Django login/logout urls urlpatterns += patterns('', url(r'^login/$', 'django.contrib.auth.views.login', {'template_name': 'WebDirectory/login.html'},

    name=‘login’), url(r'^logout/$','WebDirectory.views.logout_view'),
 name = ‘logout’) WebDirectory/urls.py Django predefined login view User’s defined login page User defined logout view

24. Or your can manage your own login view from django.contrib.auth

    import authenticate, login def login_view(request): username = request.POST['username'] password = request.POST['password'] user = authenticate(username=username, password=password) if user is not None: if user.is_active: login(request, user) # Redirect to a success page. else: # Return a 'disabled account' error message else: # Return an 'invalid login' error message. example

25. Logout from django.contrib.auth import logout def logout_view(request): logout(request) return HttpResponseRedirect(reverse('WebDirectory.views.index',))

    WebDirectory/views.py

26. Protecting resources Certain views might be accessible by authenticated users

    only

27. Version 1 - using the template {% if request.user.is_authenticated %}

    <p>Welcome, {{ user.username }}. Thanks for logging in.</p> {% else %} <p>Welcome, new user. Please log in.</p> {% endif %}

28. Version 2 - using the views def index(request): if request.user.is_authenticated():

    # Do something for authenticated users. else: # Do something for anonymous users.

29. Version 3 - using a decorator in the view from

    django.contrib.auth.decorators import login_required @login_required(login_url='/myapp/login/') def index(request): # Do something for authenticated users.

30. The web directory security policy 1. Only authenticated users can

    see the web directory

31. WebDirectory @login_required(login_url='/webdirectory/login/') def index(request): ... WebDirectory/views.py But, we must also

    protect all the other views: • getImage • add • search

32. Authorization

33. The web directory security policy 1.Only authenticated users can see

    the web gallery 2.Only the admin superuser can add a new entry

34. Version 0 - hide the upload button (template) {% if

    admin %} <div id="publisher"> <a href="{% url 'uploader' %}">Upload a new entry!</a> </div> {% endif %} WebDirectory/templates/WebDirectory/index.html

35. Version 0 -hide the upload button (view) @login_required(login_url='/webdirectory/login/') def index(request):

    ... return render(request, 'WebDirectory/index.html',\ { ... 'admin': request.user.is_superuser}) WebDirectory/views.py This is absolutely not secure !!!

36. Version 1 - protecting the view @login_required(login_url='/webdirectory/login/') def add(request): if

    (request.user.username == 'tsans') # add the entry to the database else: raise Http403 WebDirectory/views.py

37. Django permissions • Based on the Django admin features, the

    model Entity predefines 3 permissions: • Entry.add_entry • Entry.change_entry • Entry.delete_entry

38. Version 2 - using permissions in the view @login_required(login_url='/webdirectory/login/') def

    add(request): if request.user.has_perm('Entry.add_entity'): # add the entry to the database else: raise Http403 WebDirectory/views.py

39. Version 3 - using a decorator in the view @permission_required('Entry.add_entry')

    def add(request): # add the entry to the database WebDirectory/views.py

40. Define custom permissions class Task(models.Model): ... class Meta: permissions =

    ( ("view_task", "Can see available tasks"), ("change_task_status", "Can change the status of tasks"), ("close_task", "Can close a task"), ) example

41. Summary • What is the difference between a cookie and

    a session? • How are users authenticated? • What is the difference between authentication and authorization?