On 12/27/06, MR <[EMAIL PROTECTED]> wrote:
Hello,
I currently use identity for basic login authentication and also
include identity checks in some AJAX request methods (my app is a
single page that loads with all other updates being AJAX calls), and my
app has been developing nicely.
Last night, however, I realized that if I login as User1 in Tab1 of a
browser and then login as User2 in Tab2 of a browser that I need to
detect this and make sure that User1 gets logged out forcefully the
next time any action is attempted (like GMail does), because otherwise,
I have some security issues on my hands: For example, after User2 is
logged in, User1's actions are able to do things that "bleed" into
User2's data and settings. This is because calls in controller use
identity.current.user.id for finding/changing things, and at this
point, identity.current.user.id apparently refers to User2. User1 still
has an open window that's been authenticated, however, so this is where
the security problem comes in.
This is a small security issue IMHO - if your app is really going to
be used by two different users from the same browser at the same time
then the users are going to be awfully unproductive ;)
Logging in as a different user in another browser tab/window just
means that the AJAX calls from the first tab will be executed with the
permissions of the second user. They can't actually do anything that
the second user can't.
If you want something similar to GMail's functionality that will
prevent you from doing anything if your session has timed out or
another user has logged in it shouldn't be too hard to accomplish.
All of your methods will have to return a visit key (writing your own
decorator may save you some LOC here). On your page load you can then
make that visit key available to JavaScript and you can send the visit
key with every AJAX request.
Each exposed method can then check that the visit key is the same as
the key for the current user and return suitable data if the keys
don't match, which will in turn make your JavaScript redirect you to a
"You have been logged out or your session has expired" page.
To get the current user's visit key in a controller:
visit_key = identity.current.user.visit_identity[-1].visit_key
In your templates:
<span py:if="not tg.identity.anonymous"
py:content="tg.identity.user.visit_identity[-1].visit_key">Visit Key
here</span>
or:
<script type="text/javascript">
var visit_key = ${tg.identity.user.visit_identity[-1].visit_key};
// do some other stuff here, like connecting your links/buttons using
mochikit.signal
</script>
This may cost you extra overhead in redesigning how your JS works in
order to redirect when the key changes but it *should* get you what
you need.
Hope this helps,
Lee
--
Lee McFadden
blog: http://www.splee.co.uk
work: http://fireflisystems.com
skype: fireflisystems
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
