0

I have two questions regarding security issues.

Intro: I'm developing a command line client that communicates with server (ready product, don't have an impact on code of the server) with Curl. Server requires authentication: username and password (plain text). All requests are made with HTTPS.

I believe using HTTP cookie is a good solution: client will authenticate only once and for another request a cookie can be used.

Firstly: Authentication implementation. Is it safe to store user password in regular python variable? I mean can it be read by a third side during script runtime? (there can be many users on same machine, on the same OS account, every single one has a username and a password [for client - server authorisation] that should remain secret)

Secondly: Would you have some hints about cookie storing? Encrypted file or something like that?

I am using Python 2.6.

Improve this question
2
  • could you describe your architecture a bit more? As a rule of thumb, when comes to authentication security, I'd always go for a library if I don't have enough experience. Similarly, when it comes to cookie handling, why going through the headache of developing it your self when you can use Django out of the box to solve both issues, cookies and authentication (and I'm sure there are packages or you can implement your command line through a rest interface or something similar). Commented Aug 16, 2015 at 9:51
  • Hey zom-pro! Sure, but I'm developing a CLI tool without web (and generally speaking- graphical) interface. My requests are going with REST. What details do you want to know about architecture? Commented Aug 16, 2015 at 11:07

1 Answer 1

Reset to default
1

Your assumption is correct. As long as the users do not have access to one another’s home directories, there is no need in further hiding the cookie. Your design is secure. Also, since you are developing a CL tool, you could simply use a netrc-like configuration file (it could be .netrc itself) containing the authentication information and forget about cookie management.

EDIT many users have access to one account:

I would consider changing that. However, playing within your constraints, I would suggest you create a log-in and log-out mechanism that generates and returns an authentication token valid for one session only.

appname login

The CLI would prompt from a username and a password. If the latter are valid, the server replies with an alphanumeric sequence valid for one session. The client would save it in a temporary file and use it for subsequent uses.

appname use

And finally,

appname logout

which would invalidate the token and remove the file.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for the answer! In my case users have an access to the same OS account, but they have different accounts in the meaning of accessing server resources.
Ben Beirut, you are right. However, my client doesn't maintain the session. If you want to make request - you have your first session which ends with server answer (I know it's strange, but in my case it's a must - server REST API). Another request is another session... And still, how to store the token? Can it be an http cookie? Should it be encrypted?
I do not understand the constraints. Is it the client or the server that you cannot modify?
I cannot modify the server

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.