I'm trying to attach the browser agent and IP address to each access token the user generates on login (it will allow the user to view where they logged in and what device they used similar to Google).
I can't seem to find where the access_token and id were generated so I could put the code to add the extra data.
I was able to trace from HasApiTokens.php to PersonalAccessTokenFactory.php that would fire the make function.
I want to know where inside Passport generates the token.
My webapp has means of abuse, users can access things they're not supposed to, such as 127.0.0.1/users/1 & 127.0.0.1/users/2 & 127.0.0.1/users/3 and so on, within these it reveals the user's registration email, ip, etc (via JSON, so the web server can return customized messages, greetings, and allow users to edit account data within profile settings)
This is what my route looks like:
forum.GET("/users/:user_id", routeFunc(UsersGET))
I'm using Gin-Gonic HTTP framework to create a dummy forum, can someone tell me how to stop users from accessing the /users/ route whilst allowing the actual web server to use freely? and maybe link me to the correct direction. Thanks!
(The server uses it to return things like, Welcome Back, USERNAME).
You need to add authentication and authorization to your server.
Authentication is where a user will prove their identity to you by means of a shared secret (like a password hash) and authorization is where you check if that authenticated user is allowed to take the action they are trying to make.
There are many third party services that might help you with this (e.g. Auth0) where they can handle authentication for you and provide you with libraries for authorization.
Usually people bind authentication into their Gin-Gonic server by means of middleware (e.g. gin-jwt) which is run in front of every http request. Once that middleware authenticates the user, you can add some logic to your handle that states only users can only view themselves.
Hope this helps. Good luck.
I want to know session is specific with what? This is not restrict to one language. Bellow is just use php as an example.
I use php session, it works well when I use the my website domain name. To test the website in my local vmvare ubuntu on the windows OS, I change the hosts of my windows to make the DNS to my local ip. When testing local, I use domain name, it also works well. But when I change the url in the browser to Ip, the session is lost.
You may confuse why I do this, because I want to also test the page on my android device, for I cannot change my android device's hosts file without android root, so I have to use ip.
You may also confuse why I not use the ip all the way? Because I use a third open login in my web app. The third open login mast use the domain name as the redirectback url, so when I loged in, it will redirect to the url in the domain name format.
Why the php session is the same when the domain name and the ip?
To make sure php session is not the same with domain name and ip? I also tryed my admin system, upper is user system.
I also try my administration system, I can use ip to login all the way. But when I change ip to the domain name in the url, the session also lose.
Since you mention PHP, I'll include information from PHP manual.
I believe other languages behave similarly.
In the server, a session is specific to a cookie.
From PHP manual:
Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data. The absence of an ID or session cookie lets PHP know to create a new session, and generate a new session ID.
In the user agent (the client, usually a browser), a cookie is specific to a domain and path.
From RFC6265, section 4.1.2.3:
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com.
Section 4.1.2.4:
The user agent will include the cookie in an HTTP request only if the path portion of the request-uri matches (or is a subdirectory of) the cookie’s Path attribute, where the %x2F ("/") character is interpreted as a directory separator.
So, if you move back and forth from domain name to IP address, for instance, example.com and 12.34.56.78,
a session cookie created by the server for example.com will not be sent back by the user agent
if you later make a request to 12.34.56.78, even if both are the same server.
With the later request, because the server sees no session cookie, a new session is created and a new cookie is sent.
That's why using both domain name and IP address will use separate sessions.
If you need to use the same session when using both domain name and IP address, you have to preserve the session ID between requests.
A common method is to pass the session ID in the query string.
PHP session management, in fact, can also be configured to use this method but I never need to use it, so I can't tell you how that's gonna go.
Continuing my example, you can use this for subsequent requests:
http://12.34.56.78/?sessionId=abcdef0123456789
Where abcdef0123456789 is an example session ID.
In the PHP code, set the session ID before calling session_start().
Example code:
if(isset($_GET['sessionId']))
session_id($_GET['sessionId']);
#session_start();
Of course, you don't have to use sessionId.
You can use foobar or anything else.
You can also change it daily or even hourly to prevent session hijacking.
Update: To use foobar, modify the PHP code to this:
if(isset($_GET['foobar']))
session_id($_GET['foobar']);
#session_start();
With that code, you can pass the session ID like this:
http://12.34.56.78/?foobar=abcdef0123456789
If you want to use xyz, the PHP code would be:
if(isset($_GET['xyz']))
session_id($_GET['xyz']);
#session_start();
You can pass the session ID like this:
http://12.34.56.78/?xyz=abcdef0123456789
The point is, it is really up to you.
The reason of this behavior is the following:
When a session is created, its session id is stored in a cookie. The value of the cookie is sent by the server in the HTTP field Set-Cookie.
At the next request from the client to the server, this session id is sent back to the server in the HTTP field Cookie. But the user agent (browser) should send the cookie only under certain conditions. Basically the domain stored with the cookie must match with the domain of the server. But in fact, the rule is much more complex and is defined in the RFC 6265 as follow:
The user agent MUST use an algorithm equivalent to the following
algorithm to compute the "cookie-string" from a cookie store and a
request-uri:
Let cookie-list be the set of cookies from the cookie store that
meets all of the following requirements:
Either:
The cookie's host-only-flag is true and the canonicalized
request-host is identical to the cookie's domain.
Or:
The cookie's host-only-flag is false and the canonicalized
request-host domain-matches the cookie's domain.
The request-uri's path path-matches the cookie's path.
If the cookie's secure-only-flag is true, then the request-
uri's scheme must denote a "secure" protocol (as defined by
the user agent).
NOTE: The notion of a "secure" protocol is not defined by
this document. Typically, user agents consider a protocol
secure if the protocol makes use of transport-layer
security, such as SSL or TLS. For example, most user
agents consider "https" to be a scheme that denotes a
secure protocol.
If the cookie's http-only-flag is true, then exclude the
cookie if the cookie-string is being generated for a "non-
HTTP" API (as defined by the user agent).
If you have not the courage to read all the RFC6265 and related RFC's, you can make some experiments in your browser and look at the HTTP headers and the stored cookies in different situations. In Firefox, you can observe this, by :
hitting CTRL+SHIFT+K
click on the network tab
reload the page
click on a request
I am building a RoR3 site that generates a microsite for each client. At this moment they enter to their microsite using the url www.site.com/clientid , but I want to register their own domain programatically, so they will enter to www.clientid.com and they will be redirected to my server. Is there any way to do that?
Have the client point the domain to your IP using the DNS management interface of the registrar. (More technically this would result in the creation of an A record or an AAAA record but this is not your concern).
Once the DNS is propagated, entering www.clientid.com in the browser will make a request to your server (your rails app). There you can selectively serve content based on the domain.
class ApplicationController
before_filter do
#current_account = Account.find_by_domain(request.domain)
end
end
As per of login auditing, I want to store http request related information in repository. One thing that comes in mind is the client IP address. Are there any other important fields from http request object that should be stored also? I want to do it for case when someone login successfully as well as when login failed as well.
If you also grabbed HTTP_USER_AGENT, REMOTE_HOST, and REMOTE_USER, those could be combined to find a unique machine making the request if they happen to be from the same ip address.