| From: | Murtuza Zabuawala <murtuza(dot)zabuawala(at)enterprisedb(dot)com> |
|---|---|
| To: | Dave Page <dpage(at)pgadmin(dot)org> |
| Cc: | pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: [pgAdmin4][Patch]: To make session more secure in web mode |
| Date: | 2017-07-20 14:38:28 |
| Message-ID: | CAKKotZT-mzZWN6F+M4fjmmSObzjV2xZjTvhuHjOwdNjNi+9dEw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
On Thu, Jul 20, 2017 at 6:17 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>
> On Thu, Jul 20, 2017 at 1:34 PM, Murtuza Zabuawala <murtuza.zabuawala@
> enterprisedb.com> wrote:
>
>> It is based on Flask-Login module but
>> 1) Flask-Login will mark a user as logged out when it detects that an
>> existing session suddenly appears to come from a different originating IP
>> address or a different browser. But it is unfortunate that Flask-Login does
>> not enable this option by default.
>>
>
> That's just a config change though, to use strong protection instead of
> basic.
>
>
Yes we can set it to "strong" but then user won't be able to use "Remember
me" functionality as it won't support it with "strong" protection.
> 2) It does not support it at all if you want to also use the browsers
>> "remember me" functionality.
>>
>
> The *browsers* remember me functionality, or Flasks? AFAIK remember me in
> the browser is just auto-filling of the username/password anyway, which
> will only happen when creating a new session right?
>
> Browsers.
>
>
>>
>> It's just a small wrapper module to overcome above scenarios, It is not
>> most necessary thing to include in our project but it will improve the
>> session security.
>>
>> On Thu, Jul 20, 2017 at 5:52 PM, Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>
>>> Hi
>>>
>>> On Thu, Jul 20, 2017 at 12:59 PM, Murtuza Zabuawala <
>>> murtuza(dot)zabuawala(at)enterprisedb(dot)com> wrote:
>>>
>>>> Hi Dave,
>>>>
>>>> Tested it with PEM7 RestApi testsuite and it is working fine :)
>>>>
>>>
>>> The docs for this module say it's based on Flask-Login's session protect
>>> mechanism, and was intended to allow session protection in other scenarios.
>>> As we are already using Flask-Login, do we need this?
>>>
>>> See the Session Protection section on https://flask-login.readthe
>>> docs.io/en/latest/.
>>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>> EnterpriseDB UK: http://www.enterprisedb.com
>>> The Enterprise PostgreSQL Company
>>>
>>
>>
>
>
> --
> Dave Page
> Blog: http://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EnterpriseDB UK: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Surinder Kumar | 2017-07-20 14:52:14 | Re: [pgAdmin4][Patch]: Allow user to Comment/Uncomment code in query editor |
| Previous Message | Murtuza Zabuawala | 2017-07-20 14:33:00 | Re: [pgAdmin4][Patch]: Allow user to Comment/Uncomment code in query editor |