admin管理员组文章数量:1208153
I have created a custom backend and related middleware which log users in on the sole condition that an ID_TOKEN cookie is passed along with the request.
My code is extensively based on django.contrib.auth.backends.RemoteUserBackend and its related middleware middleware django.contrib.auth.middleware.RemoteUserMiddleware.
Here is my middleware:
import hashlib
from django.conf import settings
from django.contrib import auth
from django.core.exceptions import ImproperlyConfigured, PermissionDenied
from django.urls import reverse
from django.utils.deprecation import MiddlewareMixin
from main.auth.backends import MyRemoteUserBackend
from main.auth.jwt import JWT
logger = logging.getLogger(__name__)
class AllowAllUsersMiddleware(MiddlewareMixin):
def process_request(self, request):
if not hasattr(request, "user"):
raise ImproperlyConfigured(
"Requires 'AuthenticationMiddleware' in middleware"
)
try:
id_token = request.COOKIES["ID-TOKEN"]
except KeyError:
if request.user.is_authenticated:
self._remove_invalid_user(request)
return
token = JWT(id_token)
id_token_digest = hashlib.sha256(id_token.encode(), usedforsecurity=False).hexdigest()
has_id_token_digest_changed = id_token_digest != request.session.get("id_token_digest", "")
if request.user.is_authenticated:
if request.user.get_username() == token.username and not has_id_token_digest_changed:
return # username and token did not change, do nothing
self._remove_invalid_user(request)
user = auth.authenticate(request, token=token)
if user:
request.user = user
auth.login(request, user)
request.session["id_token_digest"] = id_token_digest
def _remove_invalid_user(self, request):
auth.logout(request)
And here is my backend:
from typing import Optional
from django.conf import settings
from django.contrib.auth import get_user_model
from django.contrib.auth.backends import ModelBackend
from django.contrib.auth.models import Group
from main.auth.jwt import JWT
UserModel = get_user_model()
class MyRemoteUserBackend(ModelBackend):
def authenticate(self, request, token: JWT) -> Optional[UserModel]:
if not token:
return
user, _ = UserModel._default_manager.get_or_create(username=token.username)
return user
My production settings are the following:
AUTHENTICATION_BACKENDS = [
"main.auth.backends.MyRemoteUserBackend", # custom backend
]
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.locale.LocaleMiddleware",
"django.middlewaremon.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"main.auth.middleware.AllowAllUsersMiddleware", # custom middleware
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
]
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = "Strict"
Dealing with custom session data is working fine locally (I inject a request cookie for the ID-TOKEN with another custom middleware).
In production, the sessionid cookie gets reset after each request/response. From what I can see in my Firefox network tab, a set-cookie header is always sent with the HTTP response, causing session data to be lost (session entry named "id_token_digest").
Here is one set-cookie example in production:
set-cookie sessionid=rlc...tn; expires=Mon, 03 Feb 2025 14:29:53 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax; Secure
Has anyone dealt with such problem before? Is my middleware onion layering wrong?
I have created a custom backend and related middleware which log users in on the sole condition that an ID_TOKEN cookie is passed along with the request.
My code is extensively based on django.contrib.auth.backends.RemoteUserBackend and its related middleware middleware django.contrib.auth.middleware.RemoteUserMiddleware.
Here is my middleware:
import hashlib
from django.conf import settings
from django.contrib import auth
from django.core.exceptions import ImproperlyConfigured, PermissionDenied
from django.urls import reverse
from django.utils.deprecation import MiddlewareMixin
from main.auth.backends import MyRemoteUserBackend
from main.auth.jwt import JWT
logger = logging.getLogger(__name__)
class AllowAllUsersMiddleware(MiddlewareMixin):
def process_request(self, request):
if not hasattr(request, "user"):
raise ImproperlyConfigured(
"Requires 'AuthenticationMiddleware' in middleware"
)
try:
id_token = request.COOKIES["ID-TOKEN"]
except KeyError:
if request.user.is_authenticated:
self._remove_invalid_user(request)
return
token = JWT(id_token)
id_token_digest = hashlib.sha256(id_token.encode(), usedforsecurity=False).hexdigest()
has_id_token_digest_changed = id_token_digest != request.session.get("id_token_digest", "")
if request.user.is_authenticated:
if request.user.get_username() == token.username and not has_id_token_digest_changed:
return # username and token did not change, do nothing
self._remove_invalid_user(request)
user = auth.authenticate(request, token=token)
if user:
request.user = user
auth.login(request, user)
request.session["id_token_digest"] = id_token_digest
def _remove_invalid_user(self, request):
auth.logout(request)
And here is my backend:
from typing import Optional
from django.conf import settings
from django.contrib.auth import get_user_model
from django.contrib.auth.backends import ModelBackend
from django.contrib.auth.models import Group
from main.auth.jwt import JWT
UserModel = get_user_model()
class MyRemoteUserBackend(ModelBackend):
def authenticate(self, request, token: JWT) -> Optional[UserModel]:
if not token:
return
user, _ = UserModel._default_manager.get_or_create(username=token.username)
return user
My production settings are the following:
AUTHENTICATION_BACKENDS = [
"main.auth.backends.MyRemoteUserBackend", # custom backend
]
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.locale.LocaleMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"main.auth.middleware.AllowAllUsersMiddleware", # custom middleware
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
]
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = "Strict"
Dealing with custom session data is working fine locally (I inject a request cookie for the ID-TOKEN with another custom middleware).
In production, the sessionid cookie gets reset after each request/response. From what I can see in my Firefox network tab, a set-cookie header is always sent with the HTTP response, causing session data to be lost (session entry named "id_token_digest").
Here is one set-cookie example in production:
set-cookie sessionid=rlc...tn; expires=Mon, 03 Feb 2025 14:29:53 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax; Secure
Has anyone dealt with such problem before? Is my middleware onion layering wrong?
Share Improve this question edited Jan 22 at 13:21 Q Caron asked Jan 20 at 16:17 Q CaronQ Caron 1,0231 gold badge14 silver badges28 bronze badges 1 |2 Answers
Reset to default 0The session is getting flushed due to the following lines in your middleware:
if request.user.is_authenticated: if request.user.get_username() == token.username and not has_id_token_digest_changed: return # username and token did not change, do nothing self._remove_invalid_user(request)
The call to self._remove_invalid_user(request) is the problem since that is logging the user out, which then flushes the session for security purposes. Since you mention you'd developed this after referencing the RemoteUserMiddleware the corresponding lines there look as follows:
if request.user.is_authenticated: if request.user.get_username() == self.clean_username(username, request): return self.get_response(request) else: # An authenticated user is associated with the request, but # it does not match the authorized user in the header. self._remove_invalid_user(request)
Note that in this case _remove_invalid_user is only called if the username of the remote user didn't match the username of the logged in user. In your case you're calling the method even if the username matched but the ID token did not.
You seem to be trying to check whether the ID token has changed or not by checking its hash, this doesn't seem to make much sense given that the ID token is a JWT which typically doesn't have a long expiry. It is very much possible that the changed token is for the same user identity and is just a replacement of the expired token. If you want to confirm that the token is for the same user you should use some identifying claim from the token for example the sub claim, etc. For now assuming that your username identifies the user uniquely, you can change those lines as follows:
if request.user.is_authenticated:
if request.user.get_username() == token.username:
return # username did not change, do nothing
else:
self._remove_invalid_user(request)
Thanks to you Abdul Aziz Barkat, I could narrow the issue down to a too restrictive AWS CloudFront cookie whitelist. Thank you!
Addind both Django's default sessionid and csrftoken cookie names to whitelisted cookies solved my issue (session is persisted along with session data and CSRF verification succeeds).
For those of you who are interested in some Cloud / IaC related issues, remember you have to set CloudFront's Cookies policy properly. Here is some Terraform documentation about this.
本文标签: Django HTTP response always sets sessionid cookie and session data do not persistStack Overflow
版权声明:本文标题:Django HTTP response always sets `sessionid` cookie and session data do not persist - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1738682781a2106652.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
auth.logineven for users that are already logged in. Although that shouldn't really be an issue? If I remember correctlyloginkeeps the old sessions data. – Abdul Aziz Barkat Commented Jan 20 at 16:49