Comments (4)
The current authentication mechanism is based on a signature that goes along with all requests, rather than a classic session-based authentication. The server does not preserve sessions.
This being said, the only way using cookies would prevent entering credentials each visit is by storing the password itself in a cookie, which is terribly wrong and I'm not going to agree to implement it.
I understand that entering credentials each time is painful but if the browser isn't offering to save your credentials, then that's a totally different issue to investigate and fix.
from motioneye.
The server does not preserve sessions
PHP preserve sessions and many languages has libraries to work with sessions. And I'm sure that we can implement working with sessions.
I even suggest to use persistent cookie with expiration date of one week.
This being said, the only way using cookies would prevent entering credentials each visit is by storing the password itself in a cookie, which is terribly wrong and I'm not going to agree to implement it.
I don't understand you. Just generate some random hash when user sends his credentials and send this hash to him in cookie. On each subsequent request check this cookie and allow/disallow the request.
I understand that entering credentials each time is painful but if the browser isn't offering to save your credentials, then that's a totally different issue to investigate and fix.
Password save and persistent session are not interchangeable features. They both must work.
If you can't implement this, please, leave this issue opened. Somebody (maybe me) will implement it and send you the pull request.
from motioneye.
I know many frameworks have session support. I just wanted to say that motionEye does not have one and the reason is that I always thought of it as a single user app (well, two roles to be more precise), and without anything particular to constitute a session. Hence, no session.
I am generating a hash based on credentials and request data, and this is exactly the way the signature mechanism works. However, the hash differs from request to request; that's the whole idea of signing the request, also preventing reply attacks. So, there's no single hash to be saved in a cookie.
However, hashing the password itself once and then using the result as input for the signature algorithm could be a good idea to... well, to store something that's not the password in a cookie (with limited validity, of course).
Then, making it expire on the server side could be achieved by including time information in the first hash, along with the password.
Password save and persistent session are not interchangeable features. They both must work.
I never said they were interchangeable. But in this particular case, having the browser remember your credentials is a workaround for the lack of session support. After all, this is how we got to this topic.
If you can't implement this, please, leave this issue opened. Somebody (maybe me) will implement it and send you the pull request.
I will keep the issue open then - I'd be happy to see your implementation.
from motioneye.
Given the existing authentication mechanisms (signature and basic HTTP) and given the fact that the password hash is now remembered by the browser in a cookie, I believe that this issue is no longer valid.
from motioneye.
Related Issues (20)
- Slow preview and recording HOT 1
- Probleme fonctionnel motioneye
- Install on Raspbian 12? HOT 5
- Hide cameras from the "user" account?
- Apply
- Login > Remember me issue (0.43.1b1) HOT 3
- Telegram notification test: error setting certificate verify locations:\n CAfile: /etc/pki/tls/certs/ca-bundle.crt HOT 4
- New error when installing motioneye HOT 2
- Working Scedule not working -> 0.43.1b1 HOT 2
- RTSP and V4L2 cameras Grey screen issues HOT 4
- Pi 5 CSI camera failed to open HOT 1
- RTSP Authentication - Password requires url encoding upon entering in UI HOT 5
- Refresh browser means sign on again why? HOT 1
- Feature request - Dummy camera option for remote motioneye instance
- Access the video overview directly
- 0byte snapshot files - no new releases and bugfixes? HOT 2
- Web Interface not working- log says "curl: (7) Failed to connect to 127.0.0.1 port 8765: Connection Refused" HOT 7
- Raspberry 3b :Use composite video and network stream at the same time HOT 1
- Motioneye on DietPi HOT 13
- Lovelace cards stay grey, however the web-interface of motioneye shows the cams. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from motioneye.