All geek questions in one place

Django Remote Authentication and Security

I am using Django remote user authentication in a project. In fact, I only use django.contrib.auth.RemoteUserBackend without middleware and manually call authenticate after checking with the backend that the user is legit.

Considering the middleware source, it seems that it simply takes the username from the header in the request and then authenticates the user on the side that passes that username. In turn, the remote user backend just fun loads the user with any username. The user then gains access to all areas for which a valid login is required.

Isn't that just a huge security flaw? How is it supposed to be used?

In my case, I should be safe, since the only authenticate call comes after a successful remote authentication check, but I wonder why the middleware was introduced.

+4
source share
2 answers

Let me draw your attention to you: if you think this is a security error, try writing an exploit that sets the REMOTE_USER header in your applicationโ€™s request and see what happens.

REMOTE_USER refers to the early days of the Internet, when CGI pages ran locally as the user you came to the web page with. REMOTE_USER is actually the name of a unix environment variable that indicates the active user. As security models for web servers change, this design has been retained for compatibility. Now even IIS supports it for transparently managing Active Directory logins.

All user headers begin with HTTP_ . Otherwise, you could not trust any header information like SERVER_NAME , which would be a huge mess.

+6
source

Django is 'merrily logs user in' because your web server has verified that the visitor has valid credentials for this username, and set the header accordingly.

If you trust your web server (e.g. Apache) to set the REMOTE_USER (or other) header REMOTE_USER , then this is not a security flaw.

+1
source

Source: https://habr.com/ru/post/1399159/

More articles:


All Articles