1

Main question:
Take your typical web application with login. Does it use a database to keep track of what users are currently logged in? (As opposed to remembering all users. I'm sure you need a database for that.)

I'm just starting to learn web development, and was wondering about the real-world way to remember users as logged in, as compared to simulated examples as on this Pyramid cookbook page. I could not yet find anything about the Pyramid-way of doing this, not by searching nor in the authentication-specific tutorials. Some tutorial compare the userid against a hard-coded list, others against a not-further-specified database. The question above is my guess after reading this post on correct practices of user authentication:

If you are unfamiliar with session data, here's how it works: A single randomly-generated string is stored in an expiring cookie and used to reference a collection of data - the session data - which is stored on the server. If you are using an MVC framework, this is undoubtedly handled already.

It would be cool if someone could clear this up!

Somewhat related: This question, about the same Pyramid example - it asks how secure the method is, while my question is about understanding the method.

dasWesen
  • 579
  • 2
  • 11
  • 28
  • 1
    You could look at real world examples of open source Pyramid apps, including warehouse (PyPI) and websauna. The wiki tutorial you linked to also has an example. See also [Adding Authentication](https://docs.pylonsproject.org/projects/pyramid/en/latest/tutorials/wiki2/authentication.html) and [20: Logins with authentication](https://docs.pylonsproject.org/projects/pyramid/en/latest/quick_tutorial/authentication.html) for more examples and their references. – Steve Piercy Aug 09 '19 at 20:03
  • Those exact tutorials do not show how it is done: How is dbsession used (what does it store) in "Adding Authentication"? And the chapter 20 uses a hard-coded user list. – dasWesen Aug 10 '19 at 23:04
  • And thank you for the open source references. I was somewhat hoping that there is a faster way to get an answer to a yes/no question than digging through a lot of code. (Okay, a "yes" would not need much time, but explaining a "no" would. So can I assume from your comment that my guess is wrong?) – dasWesen Aug 10 '19 at 23:10

1 Answers1

2

...and was wondering about the real-world way to remember users as logged in.

It's not the server (or not only the server) who needs to "remember the user as logged in", it's also the client who needs to remember.

Conceptually, it works like this: upon verifying the login credentials the server returns something which the client remembers. The client then needs to send that something with every request to the server. The server, on every request, checks that the provided value is correct, matches a user in the database, etc.

In a web application, the usual mechanism to store and automatically send that "key" to the server is via HTTP Cookies - basically, the server sends a Set-Cookie header and the browser stores the cookie and sends it back in the Cookie header on every request.

Regarding the actual payload of the cookie, there are two common approaches. One option is that upon login the server starts a "session" (which may be a row in some database table). The server then returns the ID of the session, which is a random unguessable string, to the client. To check that the particular session is active the server would need to consult the database on every request.

Another option, commonly used in Pyramid tutorials, is auth_tkt authentication: the server returns a cookie containing the actual user ID, cryptographically signed with a server-side secret. When the client sends the cookie back, the server can verify the signature and be sure the cookie hasn't been tampered with. In this case, there's nothing on the server side to keep track of "all logged in users" and no need to consult the session database.

Sergey
  • 11,892
  • 2
  • 41
  • 52
  • Thank you, that's a great explanation. The client-side cookie storage was explained well in the tutorials I read, but not how the auth_tkt can be authenticated by the server. -- For the second method, you probably should make sure the cookie doesn't get copied. – dasWesen Aug 11 '19 at 00:06