Re: [pgAdmin4][Patch]: To make session more secure in web mode - Mailing list pgadmin-hackers

From Murtuza Zabuawala
Subject Re: [pgAdmin4][Patch]: To make session more secure in web mode
Date
Msg-id CAKKotZT-mzZWN6F+M4fjmmSObzjV2xZjTvhuHjOwdNjNi+9dEw@mail.gmail.com
Whole thread Raw
In response to Re: [pgAdmin4][Patch]: To make session more secure in web mode  (Dave Page <dpage@pgadmin.org>)
Responses Re: [pgAdmin4][Patch]: To make session more secure in web mode
List pgadmin-hackers


On Thu, Jul 20, 2017 at 6:17 PM, Dave Page <dpage@pgadmin.org> wrote:


On Thu, Jul 20, 2017 at 1:34 PM, Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com> wrote:
It is based on Flask-Login module but 
1) Flask-Login will mark a user as logged out when it detects that an existing session suddenly appears to come from a different originating IP address or a different browser. But it is unfortunate that Flask-Login does not enable this option by default.

That's just a config change though, to use strong protection instead of basic.
 
Yes we can set it to "strong" but then user won't be able to use "Remember me" functionality as it won't support it with "strong" protection. 
2) It does not support it at all if you want to also use the browsers "remember me" functionality.

The *browsers* remember me functionality, or Flasks? AFAIK remember me in the browser is just auto-filling of the username/password anyway, which will only happen when creating a new session right?

Browsers. 
 

It's just a small wrapper module to overcome above scenarios, It is not most necessary thing to include in our project but it will improve the session security.

On Thu, Jul 20, 2017 at 5:52 PM, Dave Page <dpage@pgadmin.org> wrote:
Hi

On Thu, Jul 20, 2017 at 12:59 PM, Murtuza Zabuawala <murtuza.zabuawala@enterprisedb.com> wrote:
Hi Dave,

Tested it with PEM7 RestApi testsuite and it is working fine :)

The docs for this module say it's based on Flask-Login's session protect mechanism, and was intended to allow session protection in other scenarios. As we are already using Flask-Login, do we need this? 

See the Session Protection section on https://flask-login.readthedocs.io/en/latest/.

--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company




--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgadmin-hackers by date:

Previous
From: Murtuza Zabuawala
Date:
Subject: Re: [pgAdmin4][Patch]: Allow user to Comment/Uncomment code in query editor
Next
From: Surinder Kumar
Date:
Subject: Re: [pgAdmin4][Patch]: Allow user to Comment/Uncomment code in query editor