So, I have two Flask apps running on localhost, one on the port 5001, and the other one on the port 5003, and apparently both are using the same session. If I log in on one app, it logs out on the other. And for example, recently, if I logged in using my email on one app, it would also log in my account on the other app, since I have users using that email on both apps, and I was using the email as an user identifier, but that stop happening when I used another id for the users.
I'm using Flask-Login, and Google Chrome (the same thing happens in Edge).
I'm not really sure if this could also happen in production, we'll probably use the same host for both apps, so that would be a problem. If this is something related only to localhost, then it's ok, but I don't think that's the case.
Any idea of what could be happening here?
Thanks in advance.
I had a similar problem, and I think the cause is that both instances would use the same "session cookie" in the browser.
The solution that fixed it for me was renaming the SESSION_COOKIE_NAME which is session by default.
app.config.update(SESSION_COOKIE_NAME=<new_session_name>)
I found the solution via: https://stackoverflow.com/a/45497948/380038
Related
I am trying to get the information about the user who is accessing the website for user authentication and for some other purpose also. After looking at official documentation of Django I got this article but still when I am trying to access request.META["REMOTE_USER"] I am getting the error because no key exists. After some tweaks when I tried again I was getting the username of my PC even if I tried to access my website from another PC on from the same network.
I am using Django's lightweight server for testing, hosted on my PC and trying and access the website from another PC on the same network.
Please help and try to resolve this issue.
From your documentation link:
This type of authentication solution is typically seen on intranet sites, with single sign-on solutions such as IIS and Integrated Windows Authentication or Apache and mod_authnz_ldap, CAS, Cosign, WebAuth, mod_auth_sspi, etc.
When the Web server takes care of authentication it typically sets the REMOTE_USER environment variable for use in the underlying application.
So, you have to configure your web server to set REMOTE_USER to use that. You don't give a lot of context in your question, but are you sure this is what you're after? Otherwise, I'd recommend starting here:
https://docs.djangoproject.com/en/3.0/topics/auth/
We've decided not to use SSL anymore and unfortunately our server guy has quit and now I need to fix this. I've revoked the certs from Comodo, removed the SSL app from Heroku but that was apparently not enough and now we have serious problems with our site.
When visiting inteokej.nu one gets redirected to the app, but automatically http turns to https and instead of showing the domain (inteokej.nu) the app link is shown https://inteokej.herokuapp.com (I want inteokej.nu to be shown, not the actual app link).
That is a problem but not the biggest problem, which is that it's not possible to use the site anymore (e.g login, the static pages works though). When I try to login I first get a https security error and when I proceed I get to the following page: https://www.inteokej.nu/cgi-sys/defaultwebpage.cgi ("Sorry! If you are the owner of this website, please contact your hosting provider: webmaster#inteokej.nu").
I've now learned the hard way that SSL is a complex thing but I really need to get this site up again as soon as possible. So, where should I start and how could I proceed from this point? I guess there's some back end coding that should be done in the django code as well?
Thanks a lot in advance!
Your issue doesn't seem to be with SSL but DNS or at least however your server guy set things up.
The error page you're seeing isn't a Heroku error, inteokej.nu isn't being hosted on Heroku but on a server run by your DNS provider svenskadomaner.se .
If you use the Firefox Live HTTP Headers plugin you can follow the request/response cycle and you'll see that there is a 301 redirect from www.inteokej.nu to inteokej.herokuapp.com (probably an .htaccess redirect).
Check the DNS records for your domain (like here http://viewdns.info/dnsrecord/?domain=inteokej.nu ) you'll see that there is no CNAME record to Heroku, only an A Record to 46.22.116.5 which is an IP Address owned by svenskadomaner.se.
So the thing to do is to set up the custom domain as recommended on Heroku's site:
https://devcenter.heroku.com/articles/custom-domains
and set the CNAME to Heroku's recommendation.
One reason your server guy might have set things up like they did is that Heroku doesn't easily allow "naked domains", so people often do .htaccess redirects from example.com to www.example (which does work easily with CNAMEs).
Good luck!
I'm sure this question is easily googleable, but I can't seem to find the right query to find the answer I want.
I'm running several apps on my home server that all serve their own website for admin and info purposes. Currently I access them all from the internet using http://MyHouseServerAddress.com:8080 etc. Where 8080 is replaced with 8081, 8082 etc. for each app. They all have their own usernames and passwords and some of them use SSL
What I want is to have a single access point, e.g. http://MyHouseServerAddress.com which gives me access to each app. Each app will have a link on that page which will take you to that app's website as if it were just a page on the main site. However... I want the single access point to be password protected and SSL'd, BUT I want to remove the passwords from all the apps as they would be accessed through the single "portal" of the initial page which is password protected and SSL'd. I.e. each app would still serve on it's original port, but that port would no longer be accessible via the internet, instead any traffic from that port would be routed through the single access point.
What I'm trying to do it get a single password login, preferably via SSL to my home server which gives me access to all my other serving apps but also secures them all behind the single login.
Can this be done with a python script or a C# app for instance running some sort of proxy or port forward script? Or would running an Appache server that can redirect traffic through itself work? I'm happy to write code to solve the problem if needed.
I hope this makes sense!
I'm running W7 on my home server.
Thanks,
Max
This sounds very much like a portal with single sign-on. I haven't tried, but you might get away with implementing oauth on your sites and have the main site be the provider.
Other way would be to use soemthing like CAS.
Look at this question for options.
You can install Apache+PHP on port 80, install PHP Web Proxy on it, allow local access to your apps (so they allow access without password from localhost) and secure this gateway with .htaccess and .htpasswd, or another way.
This is most simple solution for home using. Good enterprise solution would be SSO, bad it is not simple.
I'm writing panel for administrating nginx (domains, rewrites, etc), svn and other services. For that, i'm writing backend that will work on root (to change nginx configs, reload them, change user passwords, etc), and client (console client, and web app).
App works on unix sockets, and i made very simple protocol for it:
\0\0\0\0user\0key\0module\0command\0data\0
Well, this is quite simple. Client sends command and data to backend, fox ex:
\0\0\0\0morsik\0\0nginx\0add_domain\0www.domain.tld something\0
Problem is, how to authenticate that user is really morsik? For web interface i don't have to - web page have it's own authorization so i can sent some key that will work for every user that nobody will know.
Problem is if somebody have access to ssh. Then he could write simple client that will spoof username and then he could change other user configuration.
So, how can i made correct authorization for users?
Don't reinvent the wheel. ;) I found this discussion enlightening:
http://cyberelk.net/tim/2007/03/08/cups-unix-domain-sockets-authentication/ Explains the concept of socket auth.
http://pythonic.pocoo.org/2007/7/7/unix-socket-credentials-with-python Helpful details.
http://atlee.ca/software/pam/ This might work also, though less convenient.
Create a group for app admins only, etc.
I have two Django projects and applications running on the same Apache installation. Both projects and both applications have the same name, for example myproject.myapplication. They are each in separately named directories so it looks like .../dir1/myproject/myapplication and .../dir2/myproject/myapplication.
Everything about the actual public facing applications works fine. When I log into either of the admin sites it seems ok, but if I switch and do any work on the opposite admin site I get logged out of the first one. In short I can't be logged into both admin sites at once. Any help would be appreciated.
Set the SESSION_COOKIE_DOMAIN option. You need to set the domain for each of your sites so the cookies don't override each other.
You can also use SESSION_COOKIE_NAME to make the cookie names different for each site.
I ran into a similar issue with a live & staging site hosted on the same Apache server (on CentOS). I added unique SESSION_COOKIE_NAME values to each site's settings (in local_settings.py, create one if you don't have one and import it in your settings.py), set the SESSION_COOKIE_DOMAIN for the live site and set SESSION_COOKIE_DOMAIN = None for staging. I also ran "python manage.py cleanup" to (hopefully) clean any conflicted information out of the database.
Well, if they have the same project and application names, then the databases and tables will be the same. Your django_session table which holds the session information is the same for both sites. You have to use different project names that will go in different MySQL (or whatever) databases.
The session information is stored in the database, so if you're sharing the database with both running instances, logging off one location will log you off both. If your circumstance requires you to share the database, the easiest workaround is probably to create a second user account with admin privileges.
Let me guess, is this running on your localhost? and you have each site assigned to a different port? i.e. localhost:8000, localhost:8001 ..?
I've had the same problem! (although I wasn't running Apache per se)
When you login to the admin site, you get a cookie in your browser that's associated with the domain "localhost", the cookie stores a pointer of some sort to a session stored in the database on the server.
When you visit the other site, the server tries to interpret the cookie, but fails. I'm guessing it deletes the cookie because it's "garbage".
What you can do in this case, is change your domain
use localhost:8000 for the first site, and 127.0.0.1:8001 for the second site. this way the second site doesn't attempt to read the cookie that was set by the first site
I also think you can edit your HOSTS file to add more aliases to 127.0.0.1 if you need to. (but I haven't tried this)