On Fri, 2009-04-03 at 01:41 -0700, Zeal wrote: > I'm a newbie, I've been using Django to develop an application. The > entire application need to be based on an authorization mechnism. As > of my current programe, I just put user's id in session when they log > in, and there is a authorization decorater to judge whether a request > object include user id, is this safe enough?
Is there some reason you can't use Django's django.contrib.auth application -- perhaps by writing your own authentication backend -- which will handle this sort of thing automatically for you? That will remove the need for you to worry about storing anything manually in the session and will make the user object available as an attribute on the request each time. > By the way, due to the special requirement, the authorization of end- > user should be based on several fields, like in which department or > unit the end-user could be visit. Hence, when user log in, his/her > authorized objects id(pk in model) will be saved in session, and then > every request if need to retrieve data, such authorized objects id > will be used as filter condition, like filter(id__in=[]), is this safe > and effective? It will work. The session value that the client side (browser) sees is only a key into the sessions table. It's randomly generated, so the chances of somebody guessing another user's active session are small (as in, it would take them a few centuries of guessing 1000 times per second). There's no actual session data sent to the client side -- all that is stored server-side in the django.contrib.session application (there are other ways to manage sessions, but that's how Django's out-of-the-box sessions work). Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---