Hello! In my situation, I need to communicate with the django application
through python from the desktop application (using python.requests).
The logic is this:
1 - Transfer the username and password to the login() - get and save to
file the *session_id*.
2 - Use *session_id* from file to identify user for *get()* and *post()*
requests. In order not to transfer login and password every time.
3 - Before each *post()* request, I make a *get()* request to get a
CSRF code.
What i get:
If you use a fresh *session_id* (without saving to a file) then everything
works.
And if you use *session_id* from a file, then the user is identified only
for *get()* requests. For *post()* requests, the user is not identified.
So the question is:
What am I doing wrong, or should it be so?
Code examples:
# In myApp/views.py
def db_login(request):
if request.method == 'POST':
user = authenticate(request, username=request.POST.get('username'),
password=request.POST.get('password'))
if user is not None:
login(request, user)
return HttpResponse(json.dumps([True, "Logged In", dict(request.
headers), request.user.username ]))
else:
return HttpResponse(json.dumps(False, "Not Logged In"))
else:
get_token(request) # adding csrftoken in cookies.
return HttpResponse(json.dumps([request.method, request.user.username
]))
def studio_create(request):
if request.method == 'POST':
return HttpResponse(json.dumps((request.method, dict(request.headers
), request.user.is_authenticated, request.user.username )))
else:
get_token(request) # adding csrftoken in cookies.
return HttpResponse(json.dumps((request.method, dict(request.headers
), request.user.is_authenticated, request.user.username )))
The case when everything works, when the user was identified by *session_id*
when
executing a *post()* request:
# In Desktop app
import requests
def post_var1():
create_url=f'{HOST}db/studio/create/'
login_url=f'{HOST}db/login/'
cookie_path = '/tmp/cookie'
# (1.0) get to login()
sess = requests.Session()
r1=sess.get(login_url)
# (1.1) post to login()
csrf_token = r1.cookies.get('csrftoken')
r2 = sess.post(login_url, data=dict(username='vofka', password='1234',
csrfmiddlewaretoken=csrf_token))
# (1.2) write cookie
with open(cookie_path, 'w') as f:
f.write(json.dumps(dict(r2.cookies)))
# (2.0) get to create()
sessionid = r2.cookies.get('sessionid')
r3=sess.get(create_url, cookies = dict(sessionid=sessionid))
# (2.1) post to create()
csrf_token = r3.cookies.get('csrftoken')
r4=sess.post(create_url, data=dict(csrfmiddlewaretoken=csrf_token,
cookies=dict(sessionid=sessionid)))
print(r4.json())
>> ["POST", {"Content-Length": "102", "Content-Type":
"application/x-www-form-urlencoded", "Host": "localhost:8000", "User-Agent":
"python-requests/2.23.0", "Accept-Encoding": "gzip, deflate", "Accept":
"*/*", "Connection": "keep-alive", "Cookie":
"csrftoken=JXTlxGsCPzj6LbeOfJwYJ2A2OYnVEucEp1WhhCF6C4ML2gGs4kJrOQEuXgm9SFSJ;
sessionid=vuhkhofnxeh485ar0rocfnotdttmfbp3"}, true, "vofka"]
The case when *session_id* from a file are used. And the user is identified
only for *get()* requests.
# In Desktop app
import requests
def post_var2():
url=f'{HOST}db/studio/create/'
html = '/tmp/mtest.html'
cookie_path = '/tmp/cookie'
# (1) read cookie
with open(cookie_path, 'r') as f:
cookie=json.load(f)
# (2) get to create()
sess = requests.Session()
r3=sess.get(url, cookies = cookie)
# (3) post to create()
csrf_token = r3.cookies.get('csrftoken')
r4=sess.post(url, data=dict(csrfmiddlewaretoken=csrf_token, cookies=cookie
))
>> print(r3.json())
>> ['GET', {'Content-Length': '', 'Content-Type': 'text/plain', 'Host':
'localhost:8000', 'User-Agent': 'python-requests/2.23.0', 'Accept-Encoding':
'gzip,
deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Cookie':
'csrftoken=JXTlxGsCPzj6LbeOfJwYJ2A2OYnVEucEp1WhhCF6C4ML2gGs4kJrOQEuXgm9SFSJ;
sessionid=vuhkhofnxeh485ar0rocfnotdttmfbp3'}, True, 'vofka']
>> print (r4.json())
>> ['POST', {'Content-Length': '120', 'Content-Type':
'application/x-www-form-urlencoded', 'Host': 'localhost:8000', 'User-Agent':
'python-requests/2.23.0', 'Accept-Encoding': 'gzip, deflate', 'Accept':
'*/*', 'Connection': 'keep-alive', 'Cookie':
'csrftoken=JXTlxGsCPzj6LbeOfJwYJ2A2OYnVEucEp1WhhCF6C4ML2gGs4kJrOQEuXgm9SFSJ'
}, False, '']
Django version 3.0.3 Python version 3.7.6
*settings.MIDDLEWARE* did not change from the creation of the project with
the *startproject* command:
# In settings.py
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/4ff0c2cf-932d-4d8c-9cbf-1453ebefc4fe%40googlegroups.com.
