Authentication bug - can acres other session freely #807
Comments
|
the different pieces of data are not tied to different logins. Once you log in you have access to any data running from that host/port. Are you spinning up your sessions with different ports? |
|
Yes Once login with either one account password. It can access both sessions but changing the port in the url |
|
Are you spinning them up from different processes? The authentication settings are global state. So all it does is a simple verification against the username & password you set in your So essentially if you start a python console, start one D-Tale process w/ one set of credentials, then spin up another D-Tale process from the same console but with different credentials then it should get access to both since the credentials are shared and you essentially overrode them. In that scenario I'd be interested to see if you logged out of the first session could you still log in with the first set of creds? I would think not |
|
I have used two separated Jupiter notebook sessions to create the process with two port binding. I think it should in separate console, because if show the df within the same console, it will bind on the existing port instead of assigning to a new one. Please correct me if I am wrong. I could try to use log off to check the behavior |
|
I have just tested with two separate console to create two different dtale session with different credential. I copied one of the URL to browser and login with the corresponding credential. And then without log off, change the url to access the another session. It was not required me to input any credential and allow me access the data in the other session. I suspect browser cookie keep the login status and with any successful login status will allow us to access all dtale sessions even different credential were set |
|
I have checked the auth.py If the browser session variable logged_in and username are set, then it will not redirect to login page. And the browser session status could allow use to access any other dtale session, even credential are different |
|
So unfortunately it looks as if Flask is sharing cookies between tabs in your browser. There doesn't appear to be a solution to this other than implementing a completely different authentication mechanism. As I told someone else I think I might create a way for users to specify their own authentication mechanism because what is there now certainly isn't comprehensive enough. |
I had created two separated dtale seesion with different login and password.
After login with one of the session, I could access the other session without providing the corresponding login and password
The text was updated successfully, but these errors were encountered: