Opened 10 years ago
Closed 10 years ago
#22400 closed New feature (wontfix)
fully_authenticated vs remember_me
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.6 |
| Severity: | Normal | Keywords: | authentication |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hello,it would be nice to have a way to distinguish users which where fully authenticated (with their username and password), and those which where authenticated with their cookie.
Change History (4)
comment:1 by , 10 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
comment:2 by , 10 years ago
| Resolution: | needsinfo |
|---|---|
| Status: | closed → new |
ok, look at this situation:
Day 1 :A user login in the website via the login form (username & password), do some stuff, then close the browser without logout.
Day 2 :The next day, he opens the browser, he already connected via his cookie (no need to enter again the username/password).
I want to know how the user was authenticated (via login_form, via cookie, via something else ...). The purpose? let's say I want to prevent users which were connected via cookie to modify their personal/critical information. Which means when a user tries to modify their personnal/critical information, I will verify how he was authenticated, if it was by cookie, I will prompt him a login form.
look at the situation in case if the user uses a public computer and close his browser without logout, and another user could easily see or worse modify user information.
So am looking for somehting like this :
(boolean) user.is_fully_autehnticated()
or
(string) user.authenticated_type
comment:3 by , 10 years ago
So you want to set a cookie that expires at browser close and check whether that cookie is younger or older than the session cookie.
If I log in, close my browser by mistake, reopen it, I will be considered not fully authenticated.
If I log in, leave my browser open, and come back fifteen days later, I will be considered as fully authenticated.
I don't think it's a sufficiently common use case to be implemented in Django, but I'll let someone else make the decision.
It can easily be implemented in a custom middleware.
comment:4 by , 10 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
| Summary: | fully_authenticated vs remeber_me → fully_authenticated vs remember_me |
I fully agree with Aymeric. I've never really understood what "remember me" actually does on websites.
There are a few options for technical implementations. Other than Aymeric's suggestion, another option would be to set an additional cookie with a very brief lifetime, say one day, and see a user as "less authenticated" as soon as the second cookie is lost. But I think the requirements for such a feature are very specific to each product. Personally, whenever this is a concern, I just set short session lifetimes.
I don't see how we can realise this in a way that it is applicable to many projects, and it is indeed easy to implement in your own custom middleware. The middleware in django-otp might be a good example.
I'm not sure to understand. The only point where a user is "fully authenticated" with your definition is in the login view. From the next page on, they're authenticated by their cookie.