Hi Ethan, comments in-line;
On Wed, Feb 12, 2014 at 1:41 PM, Ethan Lowry <[email protected]> wrote: > Hi there, > > I have a bare-bones Django app set up and am planning on using the built > in Django user auth to manage log in and registration via the Android app > I'm developing. > > I've tried this a number of ways and can, for example, log in by sending a > GET request such as ([url]/login?username=[username]&password=[password]) > and returning a JSON representation of the user if its valid. > Sending a users clear text password in a GET request is not a great approach, you end up with an access log full of passwords, and generally speaking it's an evil approach. You could use a one-time pad approach (i.e. create a unique string based on the users password, but typically the size of a password is small which increases the risk of brute forcing the string to determine the password. [1] Though you could salt it a bunch of times for good measure. [2]. [1] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_choice [2] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_sizes > > Obviously this isn't an ideal or secure way of doing things and what I > originally tried was sending a POST request, but this gets denied with a > 403 and a message about not having a CSRF cookie attached. > I did some reading up and get roughly what this is but could not find any > mention of how to get around this issue if you have to send post request > from another application as in my case - is it possible to do something > like make a get request to Django and take a usable cookie from the > response and attach it to my POST request before sending? > There's a couple of ways of doing this. You could disable the CSRF protection for specific views [1], or use the CSRF AJAX approach [2]. [1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protection-should-be-disabled-for-just-a-few-views [2] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax > > If anyone knows much about this issue, or has any general advice or best > practices regarding Django authentication on a mobile app, I'd much > appreciate it. > Hopefully this answers your question, but let me know if I've missed/overlooked anything. > > Thanks, > Ethan > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/f823094f-ab12-4d99-9f89-66952002681b%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHKQagE0LH80HdUMst76%3DM4Ni41fSmt%2BRkbnAv-qxnGFSeV4fA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
