On Mon, Aug 01, 2016 at 10:12:53PM +0200, ludovic coues wrote: > The session cookie ? > > Or you could use another decorator or a middle-ware doing > authentication based on the ip and some information passed as get > argument. Like a token returned by django when you auth the user.
Using the IP address to authenticate a user (even if it's just one of several signals) sounds like a bad idea, particularly when mobile devices are involved – it is very common for a phone to switch back and forth between a wifi connection, and a cellular connection, which most of the time means switching to a different IP, or even an entirely different ISP. Also, passing authentication tokens inside the URI issomething that's generally better avoided – what if there's some caching proxy somewhere in between which would cache the full URL, including the authentication token? I would strongly recommend using one of the standard authentication mechanisms instead of trying to roll your own custom solution for authentication. If it is possible to use the session cookie, then by all means do that. Otherwise you might want to investigate some form of token-based authentication, maybe even something based on OAuth, or perhaps JWT. The Django REST framework, for example, gives you many options, both built-in, as well as popular third-party extensions. Cheers, Michal -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160801211841.GD5430%40koniiiik.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Digital signature
