A
A
Arsen Abakarov2016-08-20 17:27:12
Backend
Arsen Abakarov, 2016-08-20 17:27:12

Website authentication mechanism?

Good afternoon.
I started to do authentication on the site, I use Django 1.8 uwsgi with nginx
Naryl on a popular resource of programmers (everyone knows which one) such a mechanism:
The user logged in with the remember checkbox. - We wrote down the hash in the cookie and in the table, data in the session.
The user logged in without remember. - Expanded the session.
The user logged out - erased the cookie and hash (if any). Cleared the session.
The user went to the site session is open. - We continue to work.
The user went to the site, there is no data in the session. we will look for a cookie with a hash.
The user went to the site, there is no session, there is a cookie with a hash. - Check the hash, everything is OK. We expand the session.
The user went to the site, no session, no hash cookie. - Please log in.
There are two questions:
1) "The user entered the site, there is no data in the session. We will look for a cookie with a hash." I don’t understand this at all, how can data leak from the session if I completely control it on the server?
2) "The user entered the site, there is no session, there is a cookie with a hash. - Check the hash, everything is OK. Expand the session." How to check the hash here? As I understand it, this checkbox is for automatically entering the site, but if I have a cookie with a hash, will I have to return the user's id by hash from the database by the server logic? what if there is a collision? Still, I don’t understand something, now I store this hash in a table with users, should it be stored in a separate table and just checked?
And do I need to put the user id in the session? I put it because there may be pages in the interface with access privileges

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question