cookie based sessions or no?

[Mike]

I'm working on a desktop app that will communicate with a server.  I have some experience with Django and with the user authentication system but I haven't deployed a Django app with authentication yet.  I'm planning to use django for the server side component of this desktop app and the two will communicate over SSL with JSON.  Using Django, I can authenticate users and hold onto the cookie on the client side for authenticating the views that need it before they return their JSON.  I could also send the userid and password in every GET or POST.  Which method is better?  Is either more secure?  Using cookies I can take advantage of stuff built into Django such as the @login_required() decorator.

[Kurtis Mullins]

I wouldn't authenticate on every request. That seems like a lot of unnecessary work. Just authenticate once and use Cookies/Authentication Tokens to sustain the session. It's already built in so it's pretty easy to do. They even have a code snippet that shows how to use a special HTTP Header to keep this authenticated session going without relying on dumping the {% csrf_token %} on every response. It's written in Javascript but I'm sure you could take the same approach and include it in your Desktop application.

On Wed, Jun 13, 2012 at 1:24 PM, Mike <mike...@gmail.com> wrote:

I'm working on a desktop app that will communicate with a server.  I have some experience with Django and with the user authentication system but I haven't deployed a Django app with authentication yet.  I'm planning to use django for the server side component of this desktop app and the two will communicate over SSL with JSON.  Using Django, I can authenticate users and hold onto the cookie on the client side for authenticating the views that need it before they return their JSON.  I could also send the userid and password in every GET or POST.  Which method is better?  Is either more secure?  Using cookies I can take advantage of stuff built into Django such as the @login_required() decorator.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/bt4FuP1zmYEJ.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

[Nikolas Stevenson-Molnar]

I agree; go with sessions. However, if you don't want to implement cookie handling in your desktop app, they don't have to be cookie-based sessions. If you write your own authentication backend (https://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend) you could, for example, send the session id as a query parameter. That way, you still get all the built-in authentication goodies (like @login_required) but without the overhead of handling cookies.

_Nik

[Nikolas Stevenson-Molnar]

Sorry, I should have said you could write your own authentication middleware (https://docs.djangoproject.com/en/1.4/topics/http/middleware/), not your own authentication backend (since I assume you're still using the standard username/password login). Just implement process_request(), look for the token in the query string, and set request.user appropriately.

_Nik

[Kevin Anthony]

If you want to see an example, I have a Django app that sends json to both an andriod app and a desktop app written in C

Django App: http://github.com/KevinAnthony/rchip_website

Desktop App: http://github.com/KevinAnthony/rchip

Android App: http://github.com/KevinAnthony/rchip_android