#22400 closed New feature (wontfix)

fully_authenticated vs remember_me

Reported by: stunaz@… Owned by: nobody
Component: contrib.auth Version: 1.6
Severity: Normal Keywords: authentication
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hello,it would be nice to have a way to distinguish users which where fully authenticated (with their username and password), and those which where authenticated with their cookie.

Change History (4)

comment:1 Changed 17 months ago by aaugustin

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to needsinfo
  • Status changed from new to closed

I'm not sure to understand. The only point where a user is "fully authenticated" with your definition is in the login view. From the next page on, they're authenticated by their cookie.

comment:2 Changed 17 months ago by stunaz

  • Resolution needsinfo deleted
  • Status changed from closed to new

ok, look at this situation:

Day 1 :A user login in the website via the login form (username & password), do some stuff, then close the browser without logout.
Day 2 :The next day, he opens the browser, he already connected via his cookie (no need to enter again the username/password).

I want to know how the user was authenticated (via login_form, via cookie, via something else ...). The purpose? let's say I want to prevent users which were connected via cookie to modify their personal/critical information. Which means when a user tries to modify their personnal/critical information, I will verify how he was authenticated, if it was by cookie, I will prompt him a login form.

look at the situation in case if the user uses a public computer and close his browser without logout, and another user could easily see or worse modify user information.

So am looking for somehting like this :

(boolean) user.is_fully_autehnticated()

or

(string) user.authenticated_type

comment:3 Changed 17 months ago by aaugustin

So you want to set a cookie that expires at browser close and check whether that cookie is younger or older than the session cookie.

If I log in, close my browser by mistake, reopen it, I will be considered not fully authenticated.

If I log in, leave my browser open, and come back fifteen days later, I will be considered as fully authenticated.

I don't think it's a sufficiently common use case to be implemented in Django, but I'll let someone else make the decision.

It can easily be implemented in a custom middleware.

comment:4 Changed 17 months ago by erikr

  • Resolution set to wontfix
  • Status changed from new to closed
  • Summary changed from fully_authenticated vs remeber_me to fully_authenticated vs remember_me

I fully agree with Aymeric. I've never really understood what "remember me" actually does on websites.

There are a few options for technical implementations. Other than Aymeric's suggestion, another option would be to set an additional cookie with a very brief lifetime, say one day, and see a user as "less authenticated" as soon as the second cookie is lost. But I think the requirements for such a feature are very specific to each product. Personally, whenever this is a concern, I just set short session lifetimes.

I don't see how we can realise this in a way that it is applicable to many projects, and it is indeed easy to implement in your own custom middleware. The middleware in django-otp might be a good example.

Note: See TracTickets for help on using tickets.
Back to Top