I do some stuff on user logout, so I want to extend the method where Django does the logout on expired/invalid session but I don't find where it does it. Can you help me to point where the logout happens?
It doesn't. When a session expires, it just expires, that's all.
I think your question is based on a misunderstanding about what it means to be logged in at all. Django doesn't know who's logged in at any particular time; the web is stateless, and the only time Django knows about a user is when they make a request. At that point, Django can distinguish between a user that has a valid session cookie and one that doesn't. But if the session subsequently expires, the first Django will know about it is when that user next makes a request.
you can get the user in anyplace of view by request.user. if you get a valid user info by request.user then the user is logged in . and this is NULL then the user is not logged in.
Related
I have my API set up using SessionAuthentication. Once a user logs in, I redirect them to their profile page in React. Once they are redirected to their profile page, I want to make a REST call to retrieve their profile data and insert it in the proper location on the page. I see a couple ways I can do this:
When a user logs in, put their User ID into the Response object (DRF) and then store that in the client somewhere (Redux store, session storage, or local storage). Then when they are redirected to the login page, make a REST call to /users/users_id.
With Django sessions the logged in user is automatically tied to each request. So do I even need to follow Rest here? I can make a call to /users, and if the user is authenticated, return their data.
I would appreciate any help with this. Thank you.
With SessionAuthentication, after a successful login, the browser saves a sessionId cookie for that domain (or ip:port) automatically. Sending a request will send that cookie from the same domain no matter with Django or React, and authenticate the user, making your request.user a user.
You can check for the cookie when you inspect the page -> Application -> Cookies -> Your domain -> sessionId
Basically, you can login via Django and it will login you with React as well. No need to store anything manually. Just use the same domain for both.
I hope someone can help me with this.
Scenario:
1) A user goes to our website /customer-area/ and gets logged in using the following Django code:
account = authenticate(email=email, password=password)
login(request, account)
2) Angular then sets a cookie to say she is logged in.
3) She then goes to /admin/ and is presented with the message:
You are authenticated as user#user.com, but are not authorized to access this page. Would you like to login to a different account?
She chooses to log in as an administrator.
4) She then goes back to /customer-area/.
Problem:
Angular checks a cookie to make sure she's authenticated but gets confused. The cookie says she's authenticated using the account she used in step (1) above, but Django thinks she's authenticated using the account she used in step (3) above. (Django is correct). This is causing all sorts of confusion for Angular.
So I guess I need to add some functionality to the login view to destroy the Angular cookie when an admin logs in.
Do any of you know how I can override the Admin login view?
Or perhaps there is an easier way to deal with this problem which I cannot think of.
Thanks for your help!
How to get django user session objects from user id or email?
I am stuck with a problem for a particular user, he gets logged out from the system very frequently. I need to get the list of session objects for a particular user.
Session object is accessible by session_key, which is random string. It's generated on server side and stored in client side in Cookie. So it's impossible to identify user by session.
In this Django code I inherited there is a check for request.user.is_authenticated().
How do I set this authenticated attribute for a user, in particular when I am doing a registration through AJAX JSON?
To log a user in, you should django.contrib.auth.login - see the docs here: https://docs.djangoproject.com/en/1.5/topics/auth/default/#auth-web-requests
Note, though, that you should authenticate the user (i.e. check their credentials) before you do so, with django.contrib.auth.authenticate - same docs as above.
This is regardless of whether you're using AJAX or not - this code has to be in a view somewhere that gets called in order for the user to get logged in. Whether that view is called via AJAX or not is irrelevant.
The only user this will return false for is AnonymousUser; all other users have it return true via their superclass. Therefore all you need to do is authenticate the user normally.
Ok, so this seems bad (and it probably is, but i have enough doubts at the moment that I want to try it).
I have a Django bases website with a jwplayer flash app embedded on one of the pages. The user has to login to get at that page. The jwplayer just plays an icecast stream.
What I would like/need to do is have it so that only authenticated users can get to the icecast server. At the moment if they grab the url from the webpage, they can get to it fairly trivially.
Icecast can authenticate via POST which I've setup in a django view.
So what I want is for the flashplayer to send the username and password of the user that is logged in, to icecast, which will then authenticate with the same username and password.
My problem is that django doesnt store the actual password, just a hash (a good thing) so I'm beginning to think that I cant really send the user and password to icecast for it to authenticate with.
My other thoughts were to just send the username, and check if that person has already authenticated.
But this would allow someone to listen if someone was already logged in.
Could I do something with a session variable or something?
Django guru's help me! Im open to all and any ideas.
Cheers
Mark.
Why not just have your flash player look for the Django session cookie and then validate against the web server that the user is logged in?
Add something like this to your urls:
(r'^loggedin/', logged_in_user),
Add a view something like this (not tested):
from django.http import HttpResponseForbidden
def logged_in_user(request):
if request.user.is_authenticated():
return HttpResponseForbidden()
else:
response = HttpResponse(mimetype='text/plain')
response.write('ok')
return response
Then just do a get on the /loggedin/ and check the return code, if it's 200 they are logged in if 401 they are not (assuming you are passing in the session cookies)