Some websites that use websockets can be manipulated into connecting to a specific ip by changing it in the console.
Is it possible to block this? So the user cannot choose a custom ip to connect to via the websocket?
For example, in the web browser game agar.io, how did they prevent the user choosing an ip in the console.
You could create a Getter and Setter function for the variable, which contains the IP. The setter is like a function-less function and the getter returns the variable.
While initiating the script, you could use a different Setter function, which actually changes the value of the variable.
Related
import requests
params = {
'apiKey': 'hidden',
'author_id': '36573126000'
}
def main():
r = requests.get('https://api.elsevier.com/content/author', params=params)
print(r.text)
main()
I'm unable to communicate with the API, as it's returning the following error:
<service-error><status><statusCode>AUTHORIZATION_ERROR</statusCode><statusText>The requestor is not authorized to access the requested view or fields of the resource</statusText></status></service-error>
What is / are the issue(s), and how can I resolve this?
There can be two issues that can cause this:
Your API Key does not have the correct level of entitlement to access that resource
You are attempting to access this resource outside of your institutional network and will need an Institutional Token to enable this.
Both can be resolved by contacting Elsevier Support at the following form:
https://service.elsevier.com/app/contact/supporthub/researchproductsapis/
This issue is usually because your current connection/IP is not the same as the one you used to create your Scopus Account; which is usually the Institutional Connection that has been granted access to Scopus.
So if there is a need to access Scopus outside that specific IP (institutional IP), then you need to setup a remote VPN proxy for yourself or Inst tokens might work as well.
Read below for clarity:
The Scopus API recognizes you as a member of your institution via IP
range. For working remotely, Scopus can also grant InstTokens. Thus
one of three things needs to happen:
You are in your instition’s network
You use your instition’s VPN
You use an InstToken
Option 1 is easy and the most common.
Option 2 might require you to additionally set a proxy. You can do so
in the configuration file.
Option 3 is rare. If you have an InstToken, please provide it during
the setup. Alternatively, add it
to the configuration file manually. You may also set the InstToken via
insttoken=”XYZ” in any class. This is the preferred solution if you
possess multiple keys.
Please Note: These suggestions are listed under pybliometrics python wrapper class documentation. However, this issue of accessing Scopus API must be the same regardless of the language and these suggestions might work.
I have a request service and I want to get tenant's address with its id. So I need TenantAppService in another service. I can't pass it from javascript, because it is an object and I think ajax converts my parameters to url. Do I need to serialize it or can I create an instance of TenantAppService in my service? Is there an applicable constructor?
Or can I use stored procedure? I tried it but even though i imported
using System.Data.SqlClient;
SqlConnection could not be found.
I want to know session is specific with what? This is not restrict to one language. Bellow is just use php as an example.
I use php session, it works well when I use the my website domain name. To test the website in my local vmvare ubuntu on the windows OS, I change the hosts of my windows to make the DNS to my local ip. When testing local, I use domain name, it also works well. But when I change the url in the browser to Ip, the session is lost.
You may confuse why I do this, because I want to also test the page on my android device, for I cannot change my android device's hosts file without android root, so I have to use ip.
You may also confuse why I not use the ip all the way? Because I use a third open login in my web app. The third open login mast use the domain name as the redirectback url, so when I loged in, it will redirect to the url in the domain name format.
Why the php session is the same when the domain name and the ip?
To make sure php session is not the same with domain name and ip? I also tryed my admin system, upper is user system.
I also try my administration system, I can use ip to login all the way. But when I change ip to the domain name in the url, the session also lose.
Since you mention PHP, I'll include information from PHP manual.
I believe other languages behave similarly.
In the server, a session is specific to a cookie.
From PHP manual:
Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data. The absence of an ID or session cookie lets PHP know to create a new session, and generate a new session ID.
In the user agent (the client, usually a browser), a cookie is specific to a domain and path.
From RFC6265, section 4.1.2.3:
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com.
Section 4.1.2.4:
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ("/") character is interpreted as a directory separator.
So, if you move back and forth from domain name to IP address, for instance, example.com and 12.34.56.78,
a session cookie created by the server for example.com will not be sent back by the user agent
if you later make a request to 12.34.56.78, even if both are the same server.
With the later request, because the server sees no session cookie, a new session is created and a new cookie is sent.
That's why using both domain name and IP address will use separate sessions.
If you need to use the same session when using both domain name and IP address, you have to preserve the session ID between requests.
A common method is to pass the session ID in the query string.
PHP session management, in fact, can also be configured to use this method but I never need to use it, so I can't tell you how that's gonna go.
Continuing my example, you can use this for subsequent requests:
http://12.34.56.78/?sessionId=abcdef0123456789
Where abcdef0123456789 is an example session ID.
In the PHP code, set the session ID before calling session_start().
Example code:
if(isset($_GET['sessionId']))
session_id($_GET['sessionId']);
#session_start();
Of course, you don't have to use sessionId.
You can use foobar or anything else.
You can also change it daily or even hourly to prevent session hijacking.
Update: To use foobar, modify the PHP code to this:
if(isset($_GET['foobar']))
session_id($_GET['foobar']);
#session_start();
With that code, you can pass the session ID like this:
http://12.34.56.78/?foobar=abcdef0123456789
If you want to use xyz, the PHP code would be:
if(isset($_GET['xyz']))
session_id($_GET['xyz']);
#session_start();
You can pass the session ID like this:
http://12.34.56.78/?xyz=abcdef0123456789
The point is, it is really up to you.
The reason of this behavior is the following:
When a session is created, its session id is stored in a cookie. The value of the cookie is sent by the server in the HTTP field Set-Cookie.
At the next request from the client to the server, this session id is sent back to the server in the HTTP field Cookie. But the user agent (browser) should send the cookie only under certain conditions. Basically the domain stored with the cookie must match with the domain of the server. But in fact, the rule is much more complex and is defined in the RFC 6265 as follow:
The user agent MUST use an algorithm equivalent to the following
algorithm to compute the "cookie-string" from a cookie store and a
request-uri:
Let cookie-list be the set of cookies from the cookie store that
meets all of the following requirements:
Either:
The cookie's host-only-flag is true and the canonicalized
request-host is identical to the cookie's domain.
Or:
The cookie's host-only-flag is false and the canonicalized
request-host domain-matches the cookie's domain.
The request-uri's path path-matches the cookie's path.
If the cookie's secure-only-flag is true, then the request-
uri's scheme must denote a "secure" protocol (as defined by
the user agent).
NOTE: The notion of a "secure" protocol is not defined by
this document. Typically, user agents consider a protocol
secure if the protocol makes use of transport-layer
security, such as SSL or TLS. For example, most user
agents consider "https" to be a scheme that denotes a
secure protocol.
If the cookie's http-only-flag is true, then exclude the
cookie if the cookie-string is being generated for a "non-
HTTP" API (as defined by the user agent).
If you have not the courage to read all the RFC6265 and related RFC's, you can make some experiments in your browser and look at the HTTP headers and the stored cookies in different situations. In Firefox, you can observe this, by :
hitting CTRL+SHIFT+K
click on the network tab
reload the page
click on a request
I seem to have a circular dependency where we have a service provider that registers an object with the service container, and boots a config file and some middleware, but the middleware now needs to be passed a param parsed from requests JWT token to the service container prior to it being instantiated, as well as the guard of the user since the service provider needs to be able to get the authenticated user and there are 5 different types (Applicant, Manager, Admin, etc) so the guard is needed to Auth::guard($guard)->getUser() within the constructor since it defaults to the Applicant if null like Auth::guard()->getUser().
How do you work around something like this? If it helps I'm using tymons/JWTAuth (develop) branch to make use of Laravel's guard API.
Should I refactor and just bind to the service container directly within the middleware and not use a service provider at all so I can use the parameter to instantiate the service container object, and the guard. Seems like the only likely solution, but before I refactor all of this I wanted to ask if there was a better way.
Can I use two service providers? One that adds middleware, and a deferred one that will somehow eventually register an object with the service container??? If so how would you pass the parameter in a config? Thinking this isn't possible based on what I know.
Adding a setter to the object isn't an option to prevent anyone accidentally invoking it anywhere else.
Are you using tymon/jwt-auth? If so, your service provider could set up an event listener that fires when the token is decoded. Something like:
event()->listen('tymon.jwt.valid', function($user){
app()->singleton(YourInterface::class, function() use ($user){
//this will only register once your token is decoded
}
});
You could still listen for an event if you aren't using this package, then bind once that fires. This is basically the same as your option 1, but at least it keeps the code organized where you want it.
I want someone to tell me where to search for how to make a session between the client(s) and the server in RMI, i.e what is the name of that concept for searching purposes?
I named this the Remote Session pattern in my 2001 book.
The idea is to have a singleton RMI object, bound in the Registry, with nothing but a login() method. That method, if successful, returns a new RemoteSession object for every call, that contains the API you need for the session. RemoteSession is another remote interface of course. It also contains a logout() method, which unexports the object, and it also implements Unreferenced, as another way of terminating the session.
Each instance of RemoteSession can maintain client state, so it is a session object, and as the only way to get a RemoteSession object is via login(), it is secure to a first approximation.