On Wed, Feb 12, 2014 at 3:17 PM, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:

> Hi Ethan, comments in-line;
>
>
> On Wed, Feb 12, 2014 at 1:41 PM, Ethan Lowry <ethanma...@gmail.com> wrote:
>
>> Hi there,
>>
>> I have a bare-bones Django app set up and am planning on using the built
>> in Django user auth to manage log in and registration via the Android app
>> I'm developing.
>>
>> I've tried this a number of ways and can, for example, log in by sending
>> a GET request such as ([url]/login?username=[username]&password=[password])
>> and returning a JSON representation of the user if its valid.
>>
>
> Sending a users clear text password in a GET request is not a great
> approach, you end up with an access log full of passwords, and generally
> speaking it's an evil approach. You could use a one-time pad approach (i.e.
> create a unique string based on the users password, but typically the size
> of a password is small which increases the risk of brute forcing the string
> to determine the password. [1] Though you could salt it a bunch of times
> for good measure. [2].
>
> [1] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_choice
> [2] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_sizes
>

Sorry I forgot to say, is there any reason why you cannot use a POST
request instead of GET? There are a few valid use cases for this, for
example supporting legacy systems or authentication handoff between
separate sites/systems (I believe Xero use, or used, a similar approach)


>
>>
>> Obviously this isn't an ideal or secure way of doing things and what I
>> originally tried was sending a POST request, but this gets denied with a
>> 403 and a message about not having a CSRF cookie attached.
>> I did some reading up and get roughly what this is but could not find any
>> mention of how to get around this issue if you have to send post request
>> from another application as in my case - is it possible to do something
>> like make a get request to Django and take a usable cookie from the
>> response and attach it to my POST request before sending?
>>
>
> There's a couple of ways of doing this. You could disable the CSRF
> protection for specific views [1], or use the CSRF AJAX approach [2].
>
> [1]
> https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protection-should-be-disabled-for-just-a-few-views
> [2] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax
>
>
>>
>> If anyone knows much about this issue, or has any general advice or best
>> practices regarding Django authentication on a mobile app, I'd much
>> appreciate it.
>>
>
> Hopefully this answers your question, but let me know if I've
> missed/overlooked anything.
>
>
>>
>> Thanks,
>> Ethan
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/django-users/f823094f-ab12-4d99-9f89-66952002681b%40googlegroups.com
>> .
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHKQagEUvYrDyyCQNxVcTdkGvNijSdzwLVXigG7%2BfH59fQNStA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to