What is the exact use of session ID, is it system generated or we assign it as we assign other dictionary values of session ? Please explain in layman terms.
The Django Session Documentation give a good explanation as well as providing great examples. Give that a read and you should have a good idea about how you can use sessions with Django.
Essentially it gives a good way to associate data with anonymous users, for example I just built a site where users add items to their cart and purchase the items. To be able to do that without requiring them to sign up for an account, I used session data.
Here are some Example Code of how to use session data.
Related
I had no idea how to structure an accurate title for this question, but I did my best so please bear with me.
I am working on a app for my hockey team that consists of a django app and an mobile app that communicates with the django app using JSON (django-rest-framework). However, one problem I am struggeling with figuring out how to solve is as follows:
You create a user (using Token Authentication), and then you create a player and/or a manager.
However, what I am struggling with is what to do when an existing user logs in. How do I check whether or not there is a player or manager associated with that user? When I log in, all I get in return from the rest framework is that user's authentication token, so from a programming perspective, I have no clue what user it actually is since I dont have the user's Id. Even if I did, how can I look up players by anything other than their Id? Currently the only idea I have is to grab all players and loop through them to find one with the same email address as the user currently signed in has.
Hope this made some degree of sense!
Thanks
This isn't really a question about JSON.
Surely the token is associated with a user ID? I don't use django-rest-framework, but the documentation for TokenAuthentication is pretty clear that once the user logs in with their token, you'll get a normal auth.User instance in request.user just like you would with a standard web-based login.
Your second question is probably made irrelevant by that, but even so, you can always query by an email address, without needing to loop through:
Manager.objects.get(email=my_email_address)
Again this is standard Django querying - if you're not familiar with that syntax, you should do the Django tutorial.
Of course, since you have a User already, you can do a more efficient foreign key lookup:
Manager.objects.get(user=request.user)
or even
request.user.manager
(assuming you have a one-to-one relationship from User to Manager - it would have been helpful to see your models).
I have a webapp that allows authenticated as well as anonymous users to start entering some form data. If a user is happy with his/her input, he/she can save that form to the server. This is a very similar problem to a shopping cart application that does not require login until checkout time.
For the authenticated user, implementing a save button is trivial. However for the anonymous user, the form data need to be stored somewhere while authentication is taking place, then correctly retrieved after logged in. Can someone please suggest some general strategies to go about this?
I found this link that is promising but I want to be thorough about this topic.
I think the correct way of doing this is to use django sessions. Basically each user (anonymousUser included) has a session during its stay on the website (or even more).
If you have a form that you want to store for a specific session, you can do it by using
request.session['myform'] = form
you get it by
request.session['myform']
and you can delete it using
del request.session['myform']
Basically Django pickles a dictionary of the session and saves it in a place (typically the database, but can be on other place as explained in django sessions).
PHP
My website is almost done, but i'm having some problems with security. Actually, i didn't have problems yet, but i need to prevent. For example, the login system, i'm using cookies/session for it. And as people answered here, cookies are easy to overcome, and it's vunerable.
What is the best way to do a login system, including the passwords and data security?
Also, i'm using cookies for write the names of the users on posts. For example.
(Pretending that the login was successful)
$Cookie = $_COOKIE['username'];
$Cookie = $FetchUserNameFromDatabase;
//Then, on posts to write the name of the user, from the cookie.
$DoPost = "INSERT INTO posts (username, message) VALUES ($Cookie, $AnyMessage)";
Is this the best way to write the users name on posts, from a cookie value (since after login, the name of the user is saved on a cookie)?
IF NOT, what is the best way to do it?
Thanks in advanced.
#EDIT
I forgot to ask. Also, what's the best way to prevent people do a lot of comments (mass-spam)? For example, i do a comment (or a vote, or whatever) and works fine. Then, i do another comment and it blocks me for some time and i can't comment again until this time expires. What's the best way to do it, or at least, what the major sites/forums uses to prevent it?
Thanks again.
Why don't you just use session ids? I'd implement a login using a https connection, then assign a sessionid, wich identifies the user against your db. For further reference you won't even need a secure connection anymore.
In case you want to identify a post just use somthing like "SELECT username FROM users WHERE sessid=" . session_id()
In point of view, you should only use cookie information when you perform an operation that DOES NOT change the state of your application; like displaying the User name in the top of a page.
However in every scenario that you application is changing its state like adding a new POST (in your example) you definetly must not trust the client cookies.
To answer "The best way to do it", it depends on what technologies your are relying on.
Edit:
To prevent mass spam you should use the cookie information and the request information the like IP address.
I have a page where user is asked only for the payment amount, then user will be redirected to another website where the payment will be processed, I want the amount to be set on the redirected page without using querystring,cokkie, etc..
I tried to use web service but here is my challange:
user enters amount on the website.
webservice is called and set the amount to ex:400$
then user is redirected without any query string to another website.
Now:
how this payment website will know that this user is the user entered 400$ on the redirecting page?
I can count on approaches more secure than this also.
thanks
I have made some research on net and asked my experienced friends, the answer is "impossible" this way.
Because redirected website somehow identify that user and there is no solution without querystrings or browser related components,
Here is my friend's advice and i am little bit satisfied, not totally :)
He calls this approach as ticketing,
First create a datetime.now integer, with that number add id and amount of money to be processed.
Then make a complex function to encrypt data. take square of every odd digit then divide to 7 etc.
then on the other website, decrypt data and check datetime if its within 5 minutes for example,
the link is valid.
You have to pass the data to the other website somehow.
Cookies wouldn't work due to domain restrictions.
Query string or form posts could work, but you don't want to use query strings.
Alternatively, if both sites share infrastructure, you could use that to share information - for example if they both have access to the same database, you could use that to share data (though you would still need to identify the specific user to both sites).
The way the service would have to work is to give back some token, probably a GUID, that the site will then look for in the querystring of an HTTP request, to identify the owner of that pre-populated data. You then tack that token onto your redirect, and the client makes a request that causes the payment site to go pull the pre-loaded data for that client.
You still have to use a query string, but now, the query string doesn't contain any human-consumable information; they can't identify their $400 amount in the query string and change it to a different amount of money. If they change the GUID at all, the request will most likely fail as that GUID won't exist in whatever datastore of pre-populated data exists behind the payment site.
Contact the website/web service/gateway. They will provide you the API which will define parameters and methods to accept payment amount. If you are the author of such service, provide mechanism to accept such parameters from your caller application. Communication should be secure, using SSL.
For example for payment gateway Paypal, check this for ideas:
Use of the PayPal payment system in ASP.NET
Have a look on wikipedia.
Shortly the answer is impossible this way, because somehow the redirect website should identify the user, all the ways are browser related or ip ( which can cause many issues later)
Intro
I am working on an e-commerce website. And we want to add a feature where a user can refer others via a custom link e.g.:
http://example.com/a1t2312 or http://example.com/?ref=a1t2312 (a1t231 being the referral code).
A user following such a link, will navigate a few pages on the site. And if he reached the 'buy' page and purchases something - the original referrer will get a discount.
The question is:
What is the best method to track the referral code? Put it in the user's cookies? Stick it somehow into the session? Other method?
I would definitely use cookies, as it is the easiest (but not foolproof, though). Sessions are by site, so that won't work, unless the receiving site has some code to handle the user.
All methods mentioned by you are OK. If I were you I would consider using sessions because it is more natural to me.
disclaimer: session has some limitations when you want to build application ready for heavy-load. For complicated demployment scenarios avoiding sessions might be a good choice.