Using Django User Authentication from an Android App (CSRF issue?)

[Ethan Lowry]

Hi there,

I have a bare-bones Django app set up and am planning on using the built in Django user auth to manage log in and registration via the Android app I'm developing. 

I've tried this a number of ways and can, for example, log in by sending a GET request such as ([url]/login?username=[username]&password=[password]) and returning a JSON representation of the user if its valid.

Obviously this isn't an ideal or secure way of doing things and what I originally tried was sending a POST request, but this gets denied with a 403 and a message about not having a CSRF cookie attached.

I did some reading up and get roughly what this is but could not find any mention of how to get around this issue if you have to send post request from another application as in my case - is it possible to do something like make a get request to Django and take a usable cookie from the response and attach it to my POST request before sending?

If anyone knows much about this issue, or has any general advice or best practices regarding Django authentication on a mobile app, I'd much appreciate it.

Thanks,

Ethan

[Thomas Leo]

>> Obviously this isn't an ideal or secure way of doing things and what I originally tried was sending a POST request, but this gets denied with a 403 and a message about not having a CSRF cookie attached.

I haven't developed anything with Android but it sounds like you need to send a CSRF in your post request, this can be done in JS, see: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

See also this: http://stackoverflow.com/questions/9252360/android-sending-post-requests-to-django-server-csrf-failing

[Cal Leeming [Simplicity Media Ltd]]

Hi Ethan, comments in-line;

On Wed, Feb 12, 2014 at 1:41 PM, Ethan Lowry <ethan...@gmail.com> wrote:

Hi there,

I have a bare-bones Django app set up and am planning on using the built in Django user auth to manage log in and registration via the Android app I'm developing. 

I've tried this a number of ways and can, for example, log in by sending a GET request such as ([url]/login?username=[username]&password=[password]) and returning a JSON representation of the user if its valid.

Sending a users clear text password in a GET request is not a great approach, you end up with an access log full of passwords, and generally speaking it's an evil approach. You could use a one-time pad approach (i.e. create a unique string based on the users password, but typically the size of a password is small which increases the risk of brute forcing the string to determine the password. [1] Though you could salt it a bunch of times for good measure. [2]. 

[1] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_choice

[2] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_sizes

 

Obviously this isn't an ideal or secure way of doing things and what I originally tried was sending a POST request, but this gets denied with a 403 and a message about not having a CSRF cookie attached.

I did some reading up and get roughly what this is but could not find any mention of how to get around this issue if you have to send post request from another application as in my case - is it possible to do something like make a get request to Django and take a usable cookie from the response and attach it to my POST request before sending?

There's a couple of ways of doing this. You could disable the CSRF protection for specific views [1], or use the CSRF AJAX approach [2].

[1] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#csrf-protection-should-be-disabled-for-just-a-few-views

[2] https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

 

If anyone knows much about this issue, or has any general advice or best practices regarding Django authentication on a mobile app, I'd much appreciate it.

Hopefully this answers your question, but let me know if I've missed/overlooked anything.

 

Thanks,

Ethan

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/f823094f-ab12-4d99-9f89-66952002681b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Cal Leeming [Simplicity Media Ltd]]

On Wed, Feb 12, 2014 at 3:17 PM, Cal Leeming [Simplicity Media Ltd] <cal.l...@simplicitymedialtd.co.uk> wrote:

Hi Ethan, comments in-line;

On Wed, Feb 12, 2014 at 1:41 PM, Ethan Lowry <ethan...@gmail.com> wrote:

Hi there,

I have a bare-bones Django app set up and am planning on using the built in Django user auth to manage log in and registration via the Android app I'm developing. 

I've tried this a number of ways and can, for example, log in by sending a GET request such as ([url]/login?username=[username]&password=[password]) and returning a JSON representation of the user if its valid.

Sending a users clear text password in a GET request is not a great approach, you end up with an access log full of passwords, and generally speaking it's an evil approach. You could use a one-time pad approach (i.e. create a unique string based on the users password, but typically the size of a password is small which increases the risk of brute forcing the string to determine the password. [1] Though you could salt it a bunch of times for good measure. [2]. 

[1] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_choice

[2] http://en.wikipedia.org/wiki/Key_(cryptography)#Key_sizes

Sorry I forgot to say, is there any reason why you cannot use a POST request instead of GET? There are a few valid use cases for this, for example supporting legacy systems or authentication handoff between separate sites/systems (I believe Xero use, or used, a similar approach)

[Ethan Lowry]

Hi Cal, first off thanks for the detailed response.

Regarding your second reply I'm not sure I understand the question? The csrf issue I described *is* the reason I was unable to use POST requests, which is what I originally wanted to do.

I will look in to all the options in the links posted and get back to you with how it goes, thanks very much.

[Cal Leeming [Simplicity Media Ltd]]

On Wed, Feb 12, 2014 at 4:02 PM, Ethan Lowry <ethan...@gmail.com> wrote:

Hi Cal, first off thanks for the detailed response.

Regarding your second reply I'm not sure I understand the question? The csrf issue I described *is* the reason I was unable to use POST requests, which is what I originally wanted to do.

Doh sorry, I had a bit of a slow moment there!

 

To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/af933b22-b0ce-456b-ab7a-167e99fff3cd%40googlegroups.com.