django session random timeout - django

I have a website, and i've been writing websites on django for a while now, but never encoutered something like this before...
Trouble is that when i login everything seems alright, but as surf random pages , pretty often happens thing, that code between {% if user.is_authenticated %} {%endif %} dissapears as i am not logged in , though i just was .
If i go back to previous page where i was logged, before going to next page , it shows i am logged in again , and it happens completely randomly. It's not like it happens after specific actions.
Often when i try to do it on purpose everything works fine , but as some time passes something like this occurs. Though if go to login page, while it randomly shows i am logged out, it automatically logs me back because like i understand session does exist, for some reason django just does not see it .....
I am very confused what might be wrong. Any possible advice would be great.
1) I am not using any session functions. Basically nothing that can on purpose trigger those events. Just simple logic in views and return render_to_response('template', RequestContext(request, {}))
2) Django is running on nginx and uwsgi
3) Here is the website site, which is currently under development, but you can login with user test, and password test to try ... maybe the same effect occurs and you'll see it.... but i do not guarentee that it will occur immidiately, it is completely random. To try u just have to click random pages..... and eventually u'll see that it shows that you logged out, though you didn't.

Your post does not give us much info to work with, and your page times out.
My best suggestion is to add the login_required decorator to all of your views. If you are in fact being logged out you will be able to see where this occurs.
Add the import to the top of your page, and the decorator above every view like so:
from django.contrib.auth.decorators import login_required
#login_required(login_url='LINK_TO_LOGIN_URL')
def first_view(request):
# Your view code
You will be redirected to your login URL at any point that you are not logged in.
Once you diagnose where you are being logged out, you should be able to troubleshoot much easier. If you are able to access every view, then you can troubleshoot your templates and your is_authenticated code.

Related

Logout message using django-allauth and redirect to home page

I'm using allauth for authentication and django messages work really well throughout all signup, login etc stages.
However, to avoid the 2 step 'are you sure you want to logout?' I have overidden the allauth view as so:
url(r'^accounts/logout/$', 'django.contrib.auth.views.logout',{'next_page': '/', }),
This technique works fine, and the user is redirected to the home page immediately after clicking 'logout.'
However, with this approach I'm no longer able to display a successfully logged out message.
Could anyone give me a tip on how to do this using the messages framework and my current setup?
Thanks in advance,
The simple answer to this is to simply set:
ACCOUNT_LOGOUT_ON_GET to True
The extra url to override accounts/logout isn't necessary..

How to moderate django_openid_auth

I am implementing openid feature using django_openid_auth library which is quite amazing..
However I am looking for very specific moderation settings.
Although openid is made available for everyone..I am looking to implement the below rules
OpenId should provide email address.. Not all guys do provide
The email address should be one of the access granted list present in my db
I started to think quite possible ways like creating custom middleware, custom login_required decorator etc.. But I am unable to think a possible way of fitting them exactly in the bill.
Can anyone add suggestions would be appreciated
aquiring email address is simple enough - you just need to ask openid server for it. django-openid-auth provides settings for it:
OPENID_SREG_EXTRA_FIELDS = ['email']
In my project i also needed to do extra stuff after authentication. I solved it with signal:
def register_login_signal():
from django.contrib.auth.signals import user_logged_in
from django.contrib.auth.models import User
user_logged_in.connect(your_function_name_here, sender = User)
def your_function_name_here(sender, **kwargs):
request = kwargs.get('request')
logout(request) if request.user.email not in your_list_of_authenticated_emails else pass
and dont forget to put register_login_signal() to some place where it gets used like projects init.py file
Edit:
1st comment/question.
The extra fields part is not stated in documentation. Also, if you scan through the github package then you notice nothing like it, i'm sure. I am using older version of https://pypi.python.org/pypi/django-openid-auth/0.5. Download it, unpack and open views.py in django-openid-auth folder. Search for OPENID_SREG_EXTRA_FIELDS and you'll see it. Works like a charm if you define it in settings.py.
2nd question
Async? Nope, not really. Async would be something that gets run outside of current function stack - if you can describe it like that. This is nothing like that. Imagine it like that - in the end of login function there is check, that if there are some functions hooked on the end of login function. And they get run instantly. Its as much async as django middleware is. So not at all.
But is it right place to do it? I imagine that you have your site set up that you check if user has logged with #login_required decorator - or something like that.
So lets see how things will get executed:
1) Your openid server sends you all the information you requested with last request
2) Your django-openid-auth login_complete view takes over and authenticates user using it's backend
3) in the end of that process the signal for which you listen to is triggered, user's email is checked against your list and if the check fails, then he is instantly logged out.
4) Since the view is done, it automatically redirects you to either the url whcih was specified in original view with "next" parameter or to LOGIN_REDIRECT_URL specified in your settings
5) Before that view all the middleware and decorators get used. And if you have used something like #login_required decorator (which is smart thing to do for each login protected page), then it instantly redirects user to login page. If you bothered to add some kind of message to request in signal, then the message is displayed (given that your login/logout page supports that)
And to say something in the end - there is no stronger method than logging out.
/edit

django social auth error after completing pipeline

I am using django social auth to power facebook connect in my app (admittedly with a little complicated user model and legacy database).
I was redirected to error page and seem to be running into an error AFTER completion of pipeline( redirect as last step of pipeline still redirects me).
Can someone tell me where to look to debug this?
Thanks,
A good place to start would be to look in social-auth's views.py, at the few places where the redirect to LOGIN_ERROR_URL happens (the variable url is set to LOGIN_ERROR_URL and then HttpResponseRedirect(url) is called). Add some print statements, or better, set breakpoints using the python debugger. If you run your app in the Django development server, the print statements will show up in the terminal in which you ran the server. Otherwise, they may show up in your server logs, depending on your configuration. You may also find django-debug-toolbar helpful.
Using print statements or the debugger, my workflow would be:
Figure out what line in views.py the redirect is triggered from
Figure out what condition causes that line to be reached
Inspect the variables leading to that condition
Sorry this is so general. Happy to help more if you can provide some more specific information.
Aaron

Single-page login in Django app

I'm currently using out-of-the-box django.contrib.auth to handle authentication in my Django app. This means that the user starts at a log in page and is redirected to the app on successful login. I would like to make my app single-page, including this login process, where a redirect doesn't happen, but maybe a "hot" template switch-out or some fancy client-side div magic (that still remains secure). My Google searching turned up pretty short, the closest solution dealing with putting a log in form on every page.
Any direction or ideas here would be much appreciated. I would obviously prefer to work within the existing confines of django.contrib.auth if possible, but I'm open to all solutions.
I'm not sure I understand your question completely. I think you want to have a single page. If so, put logic in your template that checks to see if the user is authenticated. If not, display a login form that POSTS to the appropriate django.contrib.auth view. You can supply an argument to this view to have it redirect back to your page. When you come back, the user will be authenticated, so you won't display the login form.
Have a look at Django-Easy-Pjax https://pypi.python.org/pypi/django-easy-pjax - it works like a charm and is well documented. Everything you like is being made with AJAX requests: links, forms using GET and forms using POST.
Essentially you only need to add a data-pjax="#id_of_the_container_where_the_result_goes" attribute in your a and form tags.
And the great thing about it: It updates the title and location bar of your browser.
One caveat: If you want to upload files in some form, this is not supported by Easy-Pjax, so you might want to use some workaround jQuery library for that.

django 1.4 caching GET to /login/

I recently upgraded my django framework from 1.3 to 1.4. Today I ran some tests on the login page. I have a switch which determines whether a 'reset password' link should be displayed on the login screen. This test worked nicely under 1.3, but doesn't under 1.4.
I've setup my own view and template for the login page as follows:
urlpatterns = patterns('framework.views',
url(r'^$', 'index'),
url(r'^login/$', 'login_view'),
url(r'^logout/$', 'logout_view'),
...
Upon some further investigation I noticed that if I browse to the login page the first time, it works. If I then remove the entries from my urls.py file (ie the /login/ entries), I can still browse to the /login/ page. Even when I restart the django test server, that url entry is still valid. Even deleting the urls.pyc file doesn't give me a 404. Its only when I try and post, that I'll get a 404. Incidentally, this phenomenon doesn't happen for some of my other urls.
I have a feeling the reason why my tests fail is that django somehow caches the /login/ request in some mysterious way and so the login page never refreshes for each of the tests I run on the screen. Does anybody know how to overcome this problem and perhaps also why it is that this particular feature has changed. Does it have anything to do with the newly implemented template response??
Do you use firefox? Try to remove Firefox cache, or whatever browser's cache you are using...
I ran into the same issue yesterday. I look around and i found a lot of people having this issue. Have a look at this...
Don't blame django as i did in first place ;) (i blamed me later, before knowing the real problem)...
Let's blame the protocol :P
Hope this solves your problem!
EDIT:
Here you have some possible solutions to your problem (if you use firefox):
1) http://support.mozilla.org/es/questions/848678
2) https://superuser.com/questions/23134/how-to-turn-off-firefox-cache