Comments (14)
Hello, can you please describe how to reproduce the issue exactly?
When testing multiple logins with different passwords make sure that a logout has been done and the cookie has been removed.
from bottle-cork.
Yes, here is a sample application, when you login, the password is simply ignored.
from bottle import request, route, template, default_app, run
from beaker.middleware import SessionMiddleware
from cork import Cork
app = default_app()
aaa = Cork('example_conf')
# I used this code in the 'recreate_example_conf.py' to generated the hashes
# ...
# tstamp = str(datetime.utcnow())
# username = 'root'
# password = 'pwd'
# cork._store.users[username] = {
# 'role': 'admin',
# 'hash': cork._hash(username, password),
# 'email_addr': username + '@localhost.local',
# 'desc': username + ' test user',
# 'creation_date': tstamp
# }
# ...
app = SessionMiddleware(app, {
'beaker.session.auto': True,
'beaker.session.type': 'cookie',
'beaker.session.validate_key': True,
'beaker.session.cookie_expires': True,
'beaker.session.timeout': 3600 * 24})
@route('/login', method=['GET', 'POST'])
def login():
if request.method == 'GET':
return template("""
<html>
<form method="post" action="/login">
<input name="user" required="required" type="text" placeholder="user">
<input name="password" type="password" required="required" placeholder="password">
<input type="submit" name="login" value="login">
</form>
</html>
""")
if request.method == 'POST':
username = request.POST.get('user','')
password = request.POST.get('password','')
aaa.login(username=username, password=password, success_redirect='/', fail_redirect='/login')
@route('/')
def home():
aaa.require(role='admin', fail_redirect='/login')
return 'welcome'
run(app=app, host='0.0.0.0', port=80)
from bottle-cork.
I'm not having any unexpected behavior from the code you pasted. Incorrect passwords are making the login fail. However, you have no code to remove the cookie in that snippet. Try inspecting the cookie on your browser before and during the login.
from bottle-cork.
I'm cleaning the cookies manually, I tested the code above on Opera, Chrome and Firefox and using root/pwd, root/abc, root/anything they all get me in.
I'm using the latest releases for beaker, cork and bottle, are you with this same config ?
Beaker==1.6.4
bottle==0.11.2
bottle-cork==0.2
and here is the details for the cookies I'm getting:
name value domain size path expire
beaker.session.id 78ef4b6864da48d3c62c5ca...3RpbWVxBUdB1CNZUYyLRHUu 127.0.0.1 197 B / Session
what can I do to help debug this code?
from bottle-cork.
The library versions are very close. Can you join the #bottlepy IRC channel on Freenode? In the meantime I'll keep investigating.
Beaker 1.6.3
Bottle 0.11.3
Cork 0.2
Thanks!
from bottle-cork.
Also, did you tried running the unit and functional tests? Are they all successful?
from bottle-cork.
Which version of pycrypto?
from bottle-cork.
bottle-cork uses cypto from beaker.
from bottle-cork.
I'm using pycrypto v. 2.6
from bottle-cork.
I've updated the unit and functional tests to run them on windows as well.
from bottle-cork.
Beaker depends on one of Pycryptopp, NSScrypto, JCEcrypto or Crypto and he's silently failing when no one is installed. this make the whole password verification process for cork useless.
I've successfully tested with Crypto and cryptopp and because there is no dependency check when pip install beaker
the solution is to enforce dependency on Crypto for cork and add some safety checks.
On windows there is no pip install
for any of them, you can get Crypto binaries from here or pycryptopp eggs from here
thanks goes to FedericoCeratto and defnull.
from bottle-cork.
I had added pycrypto dependency in my heroku-fix pull request. Really the solution is probably for beaker to either not silently fail, or to have a hard default dependency.
But for cork to be useful, it may be good to just add the default pycrypto as a dependency.
from bottle-cork.
@23min I've just looked into your pull request, yes you're right.
from bottle-cork.
I've added a safety check in this commit:
6f0755e
from bottle-cork.
Related Issues (20)
- MySQL server has gone away HOT 2
- SQLiteBackend.Table.iteritems() yields wrong data HOT 2
- Doco links to dead-ish downloads page on Github
- Best way to add more user fields to user profile? HOT 1
- Registration email fails if TEMPLATE_PATH is not /views/ HOT 2
- Login timeout too short HOT 1
- make doc error HOT 1
- Subclassing User HOT 2
- Security issue? problematic defaults for hashlib.pbkdf2_hmac HOT 1
- Registration does not check pending_registrations collection for existence of the user name HOT 4
- http://cork.firelet.net/ is down HOT 1
- Missing logging for auditing HOT 5
- pip update? HOT 1
- Documentation website is down HOT 1
- mongo backend doesn't work with mongdb 3.4
- Email Not Sent - Auth Error HOT 6
- TypeError @ _setup_cookie when signing/logging in HOT 1
- Docs not accessible
- Question ? Cork without beaker
- There's an error when installing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bottle-cork.