Wednesday, July 31, 2013

Re: Remote Authentication and Session Management

Is this an inactivity timeout?  If so, you could perform an interaction with the back end every time the user interacts with you, even if the user's interaction doesn't require it, thereby extending the timeout just as though the user was working directly.

Just performing an interaction periodicly to extend the timeout, despite the lack of a user interaction, would be circumventing the back end's security policy, not to be done lightly.  But accepting AJAX indications that the user is actively paging through the data (detecting scrolling in JavaScript, for example, or responding to a popup that says timeout is coming) as a reason to perform a timeout extending interaction probably doesn't violate the back end's policy.

If, instead, the timeout happens whether or not there has been recent interaction, then it would be best to consider frequent re-authentication to be the back end's policy, and pass that burden on to the user.

As far as managing the back end cookie goes, store it on the user's session object.  Update it when it changes )or when it is handed to you, whether or not it differs, the change is low cost).  There is no need to send it on to the user's browser, which already gets the Django session key.

See:

  https://docs.djangoproject.com/en/dev/topics/http/sessions/


On Wed, Jul 31, 2013 at 8:29 AM, <bruno@brunomcustodio.com> wrote:
I'm using Django to build a frontend application which will fetch data from a remote (RESTful, for the matter) API for presentation to users that can authenticate within the API. This API will, upon every successful login, output a cookie which I will need to use in further requests, and to this cookie will correspond a given (session) timeout (so that I will need to login again within the API to generate a new cookie). I was advised to stay away from storing usernames and passwords myself on the frontend side of the matters, so now I need to figure out how can I store this cookie upon and associate it with a browser session so that I can know if a given user is "authenticated" in view code. How do I go about accomplishing this?

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.
 
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)