Hello everybody,
I'm trying to create a cookie-based authentication so that the users
don't have to login each time they visit the website. I'm already
using django.contrib.auth to log the users in and it works pretty well
with a custom authentication backend (because I'm importing the users
from another database). I thought I could create another
authentication backend to log the users in by using cookies.
So I created a second authentication backend to handle this and added
it to my AUTHENTICATION_BACKENDS setting. Now I have :
AUTHENTICATION_BACKENDS = (
'myproject.apps.users.models.Authentication',
'myproject.apps.users.models.CookieAuthentication',
)
In the cookie, 2 main informations are stored : the user id and a hash
of its password and a salt. So my CookieAuthentication.authenticate()
method takes 2 arguments : the user id and the user's password hash.
The big problem is that Django's default authentication behaviour is
to take a username and a raw password, and my authentication method
should take a user id and a password hash. So for the moment I'm
passing the user id as the "username" parameter and the password hash
as the "password" parameter. But this leads to a couple of problems :
- If a user fails his authentication with the Authentication backend,
the CookieAuthentication backend will be tried. Since the
Authentication backend takes the username as the username argument and
not the user id, the CookieAuthentication will crash. For the moment I
added a "if isinstance()..." to test the type of the username variable
but I don't think it's very clean.
- I can't pass more information to the
CookieAuthentication.authenticate() method like the duration of the
session (which depends on whether the user choosed to remember his
connection or not) and other stuff like that which are cookie-
dependent.
- It's not clean at all because if a user has the name of the id of
another user (for example a user named "314"), if the user tries to
log in normally (using the login form) and it fails, the cookie
authentication method will be used and if the password hash is the
same as the user "314", the user will be authenticated. I know the
chances are near 0%, but that's just to show that it's not very clean.
Any idea on how to implement that in a clean way ?
Thanks !!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
