django and cookies

Is it possible to set the django csrf cookie to be http-only? Alike to SESSION_COOKIE_HTTPONLY with session cookie, but for the csrf one?
http://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly


I tried the second method and it works wonderfully, thanks! Just added the middleware before csrf (obvious but it took me a while as I put it after) and put CSRF_COOKIE_NAME in settings and that's all. – Mark Jun 2 at 21:08

Currently there is not setting option for this.

You could override the process_response() method ofdjango.middleware.csrf.CsrfViewMiddleware and using the customized one instead ofCsrfViewMiddleware in MIDDLEWARE_CLASSES

class Foo(CsrfViewMiddleware):
    def process_response(self, request, response):
        response = super(CsrfViewMiddleware, self).process_response(request, response)
        response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True
        return response

Or in another middleware which is invoked after CsrfViewMiddleware in response

class Foo(object):
    def process_response(self, request, response):
        if settings.CSRF_COOKIE_NAME in response.cookies:
            response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True
        return response

I'm not going to categorize as a bug, because over HTTPS we also have strict referer checking for CSRF protection, so leaking of the token is not a critical issue.







http://eli.thegreenplace.net/2011/06/24/django-sessions-part-i-cookies/

http://coffeeonthekeyboard.com/tag/django-nyc-security/page/2/





a-custom-login-page/
http://solutoire.com/2009/02/26/django-series-1-a-custom-login-page/
http://www.alandelevie.com/2008/12/14/a-simple-introduction-to-django-forms/






template-response/
https://docs.djangoproject.com/en/dev/ref/template-response/
https://docs.djangoproject.com/en/dev/ref/templates/api/#django.template.Context
https://docs.djangoproject.com/en/dev/ref/templates/api/#django.template.RequestContext






http://stackoverflow.com/questions/5037505/web-application-best-way-to-handle-state

I have some crud pages for which I have to store some state information, like current page, records per page, current order, filter conditions, and sometimes way more information...

I'd like to use friendly urls similar to rest style, something like http://microformats.org/wiki/rest/urls (GET for browsing, POST to add, PUT to edit, DELETE to remove)

The problem with cookies is that if I open several tabs, all of them would share the same cookies, it's the same with the session because the session id is stored in a cookie

if I try to keep those params in the url (something like GET /clients?page=1&len=10&sort=name&filter=smith) as soon as I issue a POST I loose those values

the other solution would be to store the state on hidden inputs, and to always issue posts carrying around those hidden inputs, but in that case I can't use GET for queries...

so, how do you handle web presentation state???

Saved Links - jmeter

http://blogs.nologin.es/rickyepoderi/index.php?/archives/32-High-Availability-in-Application-Servers.html

CONCEPTS

As always some concepts are needed before the entry goes into the substance. Mainly Application Servers have three different clustered solutions.

Load Balancing + Stickyness

The first and more easy clustered solution is just a setup with two or more applications servers which receive clients in a sticky way. When I say stickyness I refer to the fact that when a user request has first sent towards a specified server (and the java session has been created in this server) the load balancing element always sends his future requests to the same server. This way the session is maintained in only one server but everything works as expected.

In this scenario there is no special session treatment and, therefore, if one application server dies all its sessions (clients) are lost. The balancer will detect the server has fallen and all new requests will be redirected against another server but, as sessions are stored individually, the user will have to re-login and previous work (in a shopping cart application for instance) could be lost.

As you see this solution is very very simple. There are lots of load balancers solutions (software or hardware) and almost all of them support stickyness (using jsessionid tracking cookie) and server status checks. Stickyness can also be used in the other two solutions and, in fact, it is usually recommended.

Load Balancing + Session Replication

The second solution tries to solve the session lost problem of the previous scenario. Many application servers (all famous ones at least) implement a in-memory session replication. This way when a request modifies any attribute in the session these changes are sent to the rest of servers and, consequently, session is always up to date in all of them.

This solution solves the main problem but it is not absolutely safe. Some problems are the following: all sessions are in all serves (this is the main one, think about a ten server cluster with thousands and thousands of sessions), replication is not immediately done, performance drops when a lot of sessions are involved or they are very big and, if all servers die unexpectedly, they are also lost.

Load Balancing + HA Storage

The final solution is to use another persistent element to store sessions (Application Server can save sessions only in the repository or in both sites, its own heap and in the new repository). This solution has two main problems, the High Availability feature is moved from Application Servers to the external repository and the performance penalty of storing and retrieving any session may be major.

DEMO

The third solution presented before used to be not very common, mainly because the repository for storing sessions traditionally was a database, which represents a severe performance impact and a clustered database was also needed (you know, the box was worth more than its contents). So usually AppServer HA solutions were reduced to the first (when session lost was not a decisive penalty) or the second scenario (when a session-aware cluster was really needed). Nevertheless, after memcached, the in-memory backends are getting more and more popular and this kind of external repositories can solve, in theory, all the typical problems of JDBC stores. When I heard about this idea (as I commented in the beginning of the entry some commercial Application Servers are starting to offer this solution) I checked if there was any open source implementation for doing the same and I found the memcached-session-manager or MSM project. MSM honors its name and it is exactly that, a session manager for tomcat (6 and 7) and memcached. So the rest of this chapter I am going to explain how to setup the previous three scenarios using tomcat.

lenglui
http://www.linkedin.com/groups/Measure-tomcat-Performance-with-JMeter-3863637.S.64805236

Maria Gabriela

Measure tomcat Performance with JMeter

The advantage of using JMeter is that you can use it to create a graph which is visually more appealing to many administrators. If you wanted to use JMeter on a Linux system you can install it by looking in the repository for the specific distribution. In this example with Debian 6 it was easily installed on a GUI desktop system.

August 4, 2011

how to use jmeter on debian6
http://www.google.com.my/search?q=how+to+use+jmeter+on+debian6&sugexp=chrome,mod=6&sourceid=chrome&ie=UTF-8

Making a MockPortal project and app, with login and Templates

Scenario:
making a MockPortal app.

- MockPortal project = startproject
- MockPortal app = startapp







django-admin.py startproject mockportal http://www.djangobook.com/en/2.0/chapter02/
/mockportal
manage.py
/mockportal/settings.py
=edit the settings.py 'UTC'
=http://192.168.195.136:8020/asdf Start your first app by running python manage.py startapp [appname].
python manage.py startapp mockportal_app
/mockportal
manage.py
/mockportal/settings.py
/mockportal_app/views.py

Scenario: Create a basic login page
https://docs.djangoproject.com/en/dev/topics/auth/ User authentication in Django | Django documentation | Django

Note that if you don't specify the login_url parameter, you'll need to map the appropriate Django view to settings.LOGIN_URL. For example, using the defaults, add the following line to your URLconf:
(r'^accounts/login/$', 'django.contrib.auth.views.login'),

python manage.py syncdb To get the auth table 'django_session'





Scenario: Put a template for the basic login page. PATH: where on the filesystem?
http://www.djangobook.com/en/2.0/chapter04/
With TEMPLATE_DIRS set, the next step is to change the view code to use Django’s template-loading functionality rather than hard-coding the template paths. Returning to our current_datetime view, let’s change it like so:
Sample base templates and login templates:
http://devdoodles.wordpress.com/2009/02/16/user-authentication-with-django-registration/
https://bitbucket.org/devdoodles/registration_templates/src

If you don't want to use the built-in views
not having to write forms for this functionality
NEWDOCS https://docs.djangoproject.com/en/dev/topics/auth/#module-django.contrib.auth.forms
OLDDOCS https://docs.djangoproject.com/en/1.0/topics/auth/#module-django.contrib.auth.forms

Built-in forms
If you don't want to use the built-in views, but want the convenience of not having to write forms for this functionality, the authentication system provides several built-in forms located in django.contrib.auth.forms:

class AdminPasswordChangeForm
A form used in the admin interface to change a user's password.

class AuthenticationForm
A form for logging a user in.

#################################################

Playdoh, csrf, cookies, secure and httponly

Playdoh:

Django app (but based on 1.3. )

Examples of:
logging: loggers, handlers and levels
cookies: secure and httponly
sphinx: documentation, source, readthedocs

http://playdoh.readthedocs.org/en/latest/userguide/logging.html
####################################


django cookies: session cookies, csrf cookies, secure, httponly
http://coffeeonthekeyboard.com/tag/django-nyc-security/page/2/

HTTP Primer: I read this

A good one, and I don't think I'd need to re-read it again.

http://www.orion.it/~alf/whitepapers/HTTPPrimer.html

Alessandro Forghieri,Tue Jan 4 2000



Year 2000 document, not exhaustive, but a good article to start off from.

Python Unicode, encode to utf-8, etc.

http://www.stereoplex.com/blog/python-unicode-and-unicodedecodeerror

Python, bytes and strings

You've probably noticed that there seems to be a couple of ways of writing down strings in Python. One looks like this:

  'this is a string'

Another looks like this:

  u'this is a string'

There's a good chance that you also know that the second one of those is a Unicode string. But what's the first one? And what does it actually mean to 'be a Unicode string'?




It's worth reiterating that terminology, as you come across it a lot: the transformation from Unicode to an encoding like ASCII is called 'encoding'. The transformation from ASCII back to Unicode is called 'decoding'.

    Unicode  ---- encode ----> ASCII
    ASCII    ---- decode ----> Unicode

Django, CSV files, and chunking/streaming 500MB csv files thru http response.

http://stackoverflow.com/questions/5146539/streaming-a-csv-file-in-django

http://crashcoursing.blogspot.com/2011/05/exporting-csv-with-special-characters.html

http://stackoverflow.com/questions/155097/microsoft-excel-mangles-diacritics-in-csv-files

Current pages referenced for Django

https://docs.djangoproject.com/en/dev/ref/models/querysets/
https://docs.djangoproject.com/en/1.4/topics/db/queries/
https://docs.djangoproject.com/en/1.4/ref/models/relations/

Methods that return new QuerySets

Django provides a range of QuerySet refinement methods that modify either the types of results returned by the QuerySet or the way its SQL query is executed.

filter

filter(**kwargs)

Returns a new QuerySet containing objects that match the given lookup parameters.

The lookup parameters (**kwargs) should be in the format described in Field lookups below. Multiple parameters are joined via AND in the underlying SQL statement.

exclude

exclude(**kwargs)

Returns a new QuerySet containing objects that do not match the given lookup parameters.

The lookup parameters (**kwargs) should be in the format described in Field lookups below. Multiple parameters are joined via AND in the underlying SQL statement, and the whole thing is enclosed in a NOT().

This example excludes all entries whose pub_date is later than 2005-1-3 AND whose headline is "Hello":

Entry.objects.exclude(pub_date__gt=datetime.date(2005, 1, 3), headline='Hello')

In SQL terms, that evaluates to:

SELECT ...
WHERE NOT (pub_date > '2005-1-3' AND headline = 'Hello')

This example excludes all entries whose pub_date is later than 2005-1-3 OR whose headline is "Hello":

https://docs.djangoproject.com/en/dev/ref/models/querysets/#django.db.models.query.QuerySet.exists

exists

exists()

Returns True if the QuerySet contains any results, and False if not. This tries to perform the query in the simplest and fastest way possible, but it does execute nearly the same query. This means that calling QuerySet.exists() is faster thanbool(some_query_set), but not by a large degree. If some_query_set has not yet been evaluated, but you know that it will be at some point, then using some_query_set.exists() will do more overall work (one query for the existence check plus an extra one to later retrieve the results) than simply using bool(some_query_set), which retrieves the results and then checks if any were returned.

update

update(**kwargs)

Performs an SQL update query for the specified fields, and returns the number of rows affected.

For example, to turn comments off for all blog entries published in 2010, you could do this:

>>> Entry.objects.filter(pub_date__year=2010).update(comments_on=False)

(This assumes your Entry model has fields pub_date and comments_on.)

You can update multiple fields — there's no limit on how many. For example, here we update the comments_on and headlinefields:

Erlang stuff

http://stackoverflow.com/questions/1831520/relation-between-language-and-scalability?lq=1

Erlang comes from another culture in thinking about reliability and how to achieve it. Understanding the culture is important, since Erlang code does not become fault-tolerant by magic just because its Erlang.

A fundamental idea is that high uptime does not only come from a very long mean-time-between-failures, it also comes from a very short mean-time-to-recovery, if a failure happened.

One then realize that one need automatic restarts when a failure is detected. And one realize that at the first detection of something not being quite right then one should "crash" to cause a restart. The recovery needs to be optimized, and the possible information losses need to be minimal.

This strategy is followed by many successful softwares, such as journaling filesystems or transaction-logging databases. But overwhelmingly, software tends to only consider the mean-time-between-failure and send messages to the system log about error-indications then try to keep on running until it is not possible anymore. Typically requiring human monitoring the system and manually reboot.

Most of these strategies are in the form of libraries in Erlang. The part that is a language feature is that processes can "link" and "monitor" each other. The first one is a bi-directional contract that "if you crash, then I get your crash message, which if not trapped will crash me", and the second is a "if you crash, i get a message about it".

Linking and monitoring are the mechanisms that the libraries use to make sure that other processes have not crashed (yet). Processes are organized into "supervision" trees. If a worker process in the tree fails, the supervisor will attempt to restart it, or all workers at the same level of that branch in the tree. If that fails it will escalate up, etc. If the top level supervisor gives up the application crashes and the virtual machine quits, at which point the system operator should make the computer restart.

The complete isolation between process heaps is another reason Erlang fares well. With few exceptions, it is not possible to "share values" between processes. This means that all processes are very self-contained and are often not affected by another process crashing. This property also holds between nodes in an Erlang cluster, so it is low-risk to handle a node failing out of the cluster. Replicate and send out change events rather than have a single point of failure.

The philosophies adopted by Erlang has many names, "fail fast", "crash-only system", "recovery oriented programming", "expose errors", "micro-restarts", "replication", ...

http://stackoverflow.com/questions/8051087/language-best-for-a-photo-sharing-site-php-python-ruby-or-something-else?rq=1

Any. The language doesn't matter. Ruby-fanatics (especially the RubyOnRails sort) will try and tell you that their language will do everything in only 10 lines and it'll make you dinner and pick the kids up from school. Others will tell you that their language is the most secure, fastest, quickest to develop in, etc. Ignore them.

I love Python and I'd love to recommend it - but seriously, it won't make a difference. Just pick the language you know the best and get writing. So if that's Java, start writing Java. If that's C++, hell, start writing C++.

I don't believe the people who say that [insert language here] is fastest to develop in. It's all about what you find comfortable. Some langauges provide extra functionality but you can always write a library that provides that if you need it - it shouldn't take too long and, chances are, someone has already done it.

Remember: Facebook is written in PHP (though they compile a lot of that PHP to C++ now for speed), MySpace was written in C#/Cold Fusion (I believe), Twitter uses Ruby On Rails (though they plan to abandon it apparently), Google uses Java/Go (I think) and LinkedIn uses ASP.net or something I think. My point is - tonnes of services, tonnes of languages and they're all doing ok. Right now, any language will do.

My favourite little phrase is "just build it". Whilst it's a good idea to have a nice architecture and think about performance and scalability - if those things will make you abandon the project half way through, what's the point in bothering? Besides, chances are you'll need to recode a large part of it anyway later on, assuming the project grows. Really think that Facebook are using the same code they were at the start?

So, in summary, pick whichever language you want. It'll be fine.

http://stackoverflow.com/questions/1779191/how-to-push-erlang-to-my-workplace?lq=1

There are a few approaches, and neither have any guarantees to actually work

• Implement something substantial in a short time frame, perhaps using your own time. Don't tell anyone until you have something to display that works. Unless you have a colleague in on it.
• Pull up lots of Erlang projects that are good demonstrations of the features you want. Present it to your managers and try to frame them about the risk in keeping using Java with this kind of technology available.

If the company you work for actually have a working code base in Java already, they're not likely to take you seriously when you suggest to rewrite it in another language.

The true test that you believe in Erlang being a much better choice: Quit and start up a competing company and bring the technology insight you have in your current industry. Your managers are really comparing a similar risk-scenario as you would do if you were to quit your job, and they are looking for the same assuring facts for success as you would do, to consider leaving a "safe" paycheck.

---

As for how to integrate, check out the jinterface application in Erlang. It allows Java code to send messages to Erlang nodes, and it allows Java to expose mailboxes to the Erlang nodes as if there were Erlang processes.

http://www.erlang.org/download/erlang-book-part1.pdf

http error 400 - Google Search

http error 400 - Google Search
http://www.checkupdown.com/status/E400.html
http://blogs.msdn.com/b/webtopics/archive/2009/01/29/how-to-troubleshoot-http-400-errors.aspx

My Django URLs not picking up dashes

Try: ^(?P<page>[-\w]+)/$

[-\w] will accept a-z 1-9 and dash

using javascript to draw shapes - Google Search & POSITIONING HTML FLOATS

http://bytes.com/topic/html-css/answers/97805-float-position-any-difference-between-div-span

float/position: any difference between div and span?

As far as I know <div> is a block element and <span> is an inline
element. One shouldn't float inline elements, for they should be (ahum
....) inline.
Having said this, I know that some browsers don't protest against inline
elements being treated as if they were block elements. As you found out,
they render the content the way you want them to.




http://www.w3.org/TR/WD-positioning-970131

Positioning HTML Elements
with Cascading Style Sheets

how to position a span between two floats - Google Search







using javascript to draw shapes - Google Search
http://stackoverflow.com/questions/5252751/drawing-basic-shapes-with-html-css-javascript
http://raphaeljs.com/
http://jsdraw2d.jsfiction.com/#license

A Whole Bunch of Amazing Stuff Pseudo Elements Can Do

http://css-tricks.com/pseudo-element-roundup/

jquery to get the value of a hidden input - Google Search

jquery to get the value of a hidden input - Google Search

http://stackoverflow.com/questions/4376664/jquery-access-input-hidden-value

You can access hidden fields' values with val(), just like you can do on any other input element:

<input type="hidden" id="foo" name="zyx" value="bar" />

alert($('input#foo').val());
alert($('input[name=zyx]').val());
alert($('input[type=hidden]').val());

Those all mean the same thing in this example.

http://stackoverflow.com/questions/3091374/get-value-from-hidden-field-jquery

javascript how to coerce variable to string type - Google Search
http://www.w3schools.com/jsref/jsref_string.asp

The String() function is supported in all major browsers.

---

Tips and Notes

Note: The String() function returns the same value as toString() of the individual objects.

<script type="text/javascript">

var test1 = new Boolean(1);
var test2 = new Boolean(0);
var test3 = new Boolean(true);
var test4 = new Boolean(false);
var test5 = new Date();
var test6 = new String("999 888");
var test7 = 12345;

document.write(String(test1)+ "<br />");
document.write(String(test2)+ "<br />");
document.write(String(test3)+ "<br />");
document.write(String(test4)+ "<br />");
document.write(String(test5)+ "<br />");
document.write(String(test6)+ "<br />");
document.write(String(test7)+ "<br />");

</script>

Python's CSV library, and the output

def report_all(request, *args, **kwargs):
    """ Queries for all customers for an operator_name.

        Returns the list of all ***cust.active*** customers as CSV data.
    """
    # 1. Prepare the output type
    response = HttpResponse(mimetype='text/csv')
    response['Content-Disposition'] = 'attachment; filename=report_all.csv'
    writer = csv.writer(response)


    # 2. Query the db
    view_kwargs = kwargs
    operator_name = view_kwargs['operator_name']
    operator = Operator.objects.get(name=operator_name)

    customer_set = Customer.objects.filter(operator_id=operator.id)
    dct_customer_info = lambda cust : dict(id=cust.id, extref=cust.extref, license_size=cust.license_size, first_login_date=cust.first_login_date, last_login_date=cust.last_login_date)
    # cust_csv is a list of lists
    first_row = [["%12s" % "[Customer]", "%12s" % "[Lic Size]"]]
    cust_csv = first_row + [["%12s" % cust.extref, "%12s" % cust.license_size] for cust in customer_set]

##    customer_csv = ["%(id)10s, %(extref)10s, %(license_size)10s, " % dct_customer_info(customer) for customer in customer_set]

    # 3. Write and return the CSV
    for row in cust_csv:
        writer.writerow(row)

    writer.writerow(['First row', 'F,oo', 'Ba,r', 'Baz', ",,,"])
    writer.writerow(['Second row', 'A', 'B', 'C', '"Testing"', 'Her","e\'s a quote'])
    return response


######################################


  [Customer],  [Lic Size]
       john1,          12
      sawtec,          11
     willa01,           5
      chewbo,          10
      lamsio,          10
    siang666,          10
       john2,          11
First row,"F,oo","Ba,r",Baz,",,,"
Second row,A,B,C,"""Testing""","Her"",""e's a quote"

#################################################################


https://docs.djangoproject.com/en/dev/howto/outputting-csv/


If:

    writer.writerow(['First row', 'Foo', 'Bar', 'Baz'])
    writer.writerow(['Second row', 'A', 'B', 'C', '"Testing"', "Here's a quote"])

First row,Foo,Bar,Baz
Second row,A,B,C,"""Testing""",Here's a quote

Custom view function to do temporary testing stuff - Django.

• slot it in there.

class AdminOperatorViewCrud(operator_crud.OperatorViewCrud):
    def handle_request(self, request, *args, **kwargs):
        """ ubill temp """
        super(AdminOperatorViewCrud, self).handle_request(request, *args, **kwargs)

        print "---testing---"
        zero_product_check_ok = zero_product_check(crud_instance=self)
        return



    def get_edit_url(self):
        return view_util.url(operator_edit, operator_id=self.operator_id)

Many ways of making Queries with foreign keys in Django

1)

    operator_id = crud_instance.operator_id
    operator = crud_instance.operator




    productset = Product.objects.filter(operator=operator)
    productset = Product.objects.filter(operator_id=operator_id)



Both these lines are usable.
=operator_id is the actual Fk field in the db table. Lookup with unicode/int operator_id.
=operator looks up with an instance of operator model object. Same effect.

2)
3)
4) user.user.groups (UserProfile table) : mapping fk User to fk Operator
User = auth_user
auth_user table does not have Fk to groups table.
But you can try to use user.groups, it will refer to table auth_user_groups MAGICALLY.


    user_set = UserProfile.objects.filter(operator_id=operator_id)
    for user in user_set:
        group_name = user.user.group.name
        print group_name #get_user_group_cfg(user.user) #user.user.groups
        if group_name == "Operator Admin": admin_ok = True
        if group_name == "Operator Webservice": webservice_ok = True
        #request_logger.warning("Duplicate entry in auth_user_groups: 1 user with 2 groups.")
        if admin_ok and webservice_ok:
            return True

    return False

5)

    def handle_request(self, request, *args, **kwargs):
        """ubill temp

        operator edit: you have the operator_id from url
        self.operator_id, self.operator
        """
        super(OperatorEditCrud, self).handle_request(request, *args, **kwargs)

        #zero_product_check(crud_instance=self)
        print "pass?", minimum_users_check(crud_instance=self)
        print "===Handled request==="






6)
View code to trigger your own functions


    def handle_request(self, request, *args, **kwargs):
        """ubill temp

        operator edit: you have the operator_id from url
        self.operator_id, self.operator
        """
        super(OperatorEditCrud, self).handle_request(request, *args, **kwargs)

        #zero_product_check(crud_instance=self)
        print "pass?", minimum_users_check(crud_instance=self)
        print "===Handled request==="

how to apt-get upgrade only certain packages

http://askubuntu.com/questions/92816/how-to-only-apt-get-upgrade-certain-applications

how to apt-get upgrade only certain packages - Google Search

Just simply write sudo apt-get install firefox apt will recognize it as a request for update as firefox is already installed. It will also update the dependecies. Just tested it a few minutes ago. Works for every package, which is listed after the sudo apt-get dist-upgrade shareimprove this answer answered Jan 4 at 19:34 gajdipajti 1,781317
	feedback

up vote0down vote

You just re-install the package, For example: if you have installed chromium-browser, when you type "sudo apt-get install chromium-browser" again, system will check if there is a new one in the repository and update it.