On 17 jul, 02:05, "Robert Coup" <[EMAIL PROTECTED]> wrote:
> Its not that hard to handle... > > 1. Have long-lived sessions: > - if there isn't a user associated: "anonymous" > - if it has a user: "known" > > 2. When a user logs in (ie. types their username and password): > - add the user reference to the session (this is done by Django's default > login view) > - create a separate token (time+random+userid+secret, etc) and: > - add it to the session > - send it in a separate cookie (eg. auth_token) to the browser. Have > this cookie being short-lived (browser session or short expiry time) I had done it just the other way around: use session cookies and add a long-lived cookie for identification. :-) > 3. When you want to check for authenticated: > - check the session has a user > - check the auth_token cookie exists in the request > - check the auth_token cookie value matches the corresponding value stored > in the session > if all match, the user is "authenticated". Otherwise they're "known", but > need re-authenticating (ie. please confirm your password to continue), in > which case the new auth_token is created as in (2). > > Doing all the above overrides the login view - which is common to override > anyway afaik, and maybe adds a view decorator to check for "authenticated" > (eg. @authenticated_login_required) If you override the login view you will not catch calls to login / authenticate from Python, but maybe that is not so important. (I was looking for a general solution.) Additionally, existing code like the admin interface should still only work for authenticated users, so you can not get away with adding a new decorator for 'really authenticated users'. My solution had the User object wrapped in a proxy that returns False on is_anonymous() and is_authenticated(). Regards, Joost --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
