I use a pyramid and i need logout all users from my site. Currently i cant find any place where are sessions wrote. There is nothing written in pyramid documentations about this situation so is any way to do that?
This depends on the authentication backend you're using. If the backend stores the session somewhere, you can just clear that somewhere.
If you're using a backend that stores the session in a cookie, like AuthTktAuthenticationPolicy, then the cookie is signed with a secret that present in your configuration. Changing this secret would invalidate all cookies, effectively logging out all users.
Change your session factory settings, such that request object return the session after calling its session.clear method.
Related
what's a common approach of storing user sessions with Nodejs+Express and Firebase auth? I have Android and Ios app that I'd like to use the same logic on (later web as well), so I'd get the JWT token. I'd like to use that token as authorization for requests. Also I'd like to keep the user sessio and not require them to relogin again. I am not sure how to go about this, all of the Express Session resources I've found were on topic of web and cookies. I've stumbled upon MongoConnection a library for Express that presumably stores the sessions in the MongoDb, but how does the session work with non-web requests? Can anyone help me clarify this, I am aware that I am missing the point here as there is certainly an easy way to verify incoming requests and also have a session for the user to not have to login everytime.
Preferably I'd like to have an easy way to have endpoints that require JWT token access. Besides that also have a session of sorts. There is a function to verify tokens in the Firebase Admin SDK for Nodejs but it seems really weird to have to check the token manually in every request.
I treat sessions on the backend and front end entirely separately as I predominantly make RESTful apis. On the front end you can handle sessions however you like, e.g. you can start a session when a user authenticates with firebase auth, and set the user role maybe based of attributes on the firebase auth user. Use cookies, do whatever you prefer.
Then on the backend, on every endpoint just decode the token, verify it, check that the user has access to the resource they are requesting etc. Its common to write your own middlewares so that you dont have to repeat the decoding code. For further info on this approach, this might help. Its not weird to check the token manually on every request, its common practice to guarantee the authenticity of the request. Hope this is of some help.
To sum up, treat your front end session entirely separately from the backend. On your express server on the backend, on any protected endpoint decode and verify the token to determine if the user has access to the resource.
Backend sessions with firebase are a bad idea (due to it been serverless), its better to create a stateless restful api.
I am creating a webapp using nodejs backend and reactjs frontend with a mysql database, where each user has their own separate set of data.
I need to maintain sessions to identify users(for example, which user clicked the reset password button) whilst also implementing the logout feature (necessary).
I have read articles stating that logout with jwt defeats the purpose as it requires storing tokens on database.
I am confused whether to use cookies(way less secure) or jwt with database for maintaining sessions as I have never implemented this before.
You can use JWT , when an user is authentified, you send back the token with a refresh token, that you store in your MySQL database, to your react app.
One way to do this, I think, is to create jwt tokens, store them in cookies and then remove the cookie on logout, and hence not storing it in a database . I would still like to know other ways to do this.
I have a bunch of questions about express-session and JWT in a project that I am building.
I have an Express API server that I want to protect using some sort of API key, to make sure only authorized applications can access to my data. JWT would probably get the job done. However I also need to authenticate users and restrict them from accessing certain parts of the data (e.g. role-based permissions) using express-session.
The frontend server would be a Next.js instance, which would save and use the cookies for express-session. The session would be stored in a MongoDB instance.
Would I be able to use both authentication methods in the same project? Would it be secure? Is there any easier approach to this? How could I implement the permissions?
Any help and tips would be appreciated.
JWT and Express-Session both accomplish the same thing. The difference is a browser does not allows a http-only cookie to be accessible through javascript. At then end they are both used for the same end.
The jwt should be related to a session of a user, therefore the users permissions are the ones that matter. These can be implemented in a DBs and related to the user. Does he has this permission or does his role has this permission is the middleware you would put on the routes.
In case of doing it with express-session, I would personally take the same approach.
I have an angular2 app that authenticates through OAuth2 with password grant type. I store the session token on sessionStorage, and I need to store another data more secure, like user current roles.
I know that I can store more information in sessionStorage or localStorage, but this is easy modified by user. Although really, if the user modifies the sessionStorage, my backend is secured because check the token against user roles.
What happens is that if the user modifies his role he could see some hidden options, and i dont want this.
I think of two solutions, and i want listen some tips.
Save the role in sessionStorage encrypted, suggestion about this? what encryptation i should use?
Having a global service like is explained on angular docs, which is used by my navbar-component and load data on ngOnInit (because routes).
Any suggestion? Thanks.
We have in our dashboard the same case of yours.
Approaching the second option its a bit messy because you need to think what happen if the user reloads the page.
The service when you are reloading the page will loose the data and you will not know what where the roles for the user.
You can fix this issue by running http in the app component when init.
For the case of encrypting read this:
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
For now we use the approach of a Global Service. (Service are Singelton)
I have been through much of the documentation and examples provided, but Im looking for some inputs for my setup from other users.
I have a some clients (website, iOs/Android apps). These only serves as a shelves and its content will be requested through servicestack, which makes servicestack a central point of my setup.
The client will login through servicestack and get a sessionid.
My question here is, how should i setup servicestack to make sure that the user is validated on each request?
I was thinking after login, i save the user in the cache and make sure this expires after some time (unless persisted). Then on each request based on the session id, i check the cache to see if the user exists. If the user exists, the request i authenticated, and if not the user have to login again.
Am i on the right track here, or is there an easier way in servicestack, to support this?
I was thinking after login, i save the user in the cache and make sure this expires after some time (unless persisted).
It sounds like you can just use the Authentication/Authorization plugin. Once a user is authenticated (using any of the 'Providers') the user's session is stored in the cache using the key 'urn:iauthsession:[sessionId]' and contains a bool property isAuthenticated. For any Service the requires Authentication you can use the Authenticate attribute.