Authentication¶
Introduction¶
Websuna uses session-based authentication on the default settings (websauna.system.auth.policy.SessionAuthenticationPolicy
). When a user logs in the logged in user id is stored in the session. All anonymous user request.session
variables are carried over to logged in session.
Activating users¶
By default created user instances are not activated and thus cannot login. To activate user:
from websauna.utils.time import now
from websauna.system.user.models import User
from websauna.system.user.utils import get_user_registry
def my_view(request):
u = User(email="[email protected]")
password = None # Do not give password or give plain text entry here
if password:
# How to set a password on freshly created user
user_registry = get_user_registry(request)
user_registry.set_password(u, password)
# Where did this user came to our site
u.registration_source = "command_line"
# Turn user activated
u.activated_at = now()
request.dbsession.add(u)
Authenticating user¶
Invalidating session¶
To protect against session fixation attacks there exist websauna.system.user.events.UserAuthSensitiveOperation
event.
Always fire this event when you change user authentication sensitive details (email, password)
If you implement a custom session handling listen for this event and drop all user sessions on receiving it