I'm new to web development and I'm trying to develop my own prototype. There are certain ragged edges with my code. I'll lump together making the markup cross-browser compatible, detecting if JS is turned on for the client browser, and testing if cookies are enabled for client.
General question, but does pretty much every site out there test for cookies within their login view? I know how to do this, I was just curious if it's so blatantly necessary.
Obviously, if cookies are disabled, the auth framework won't work. How often do clients turn off cookies these days?
Might be a naive question or I may have answered myself but hey, I'm curious.
Brendan
Cookies and other authentication are handled by the session Middleware in Django. The pylons documentation has a bit more detailed explanation of how WSGI handles requests/responses, and how they make their way from the server, up into your code here.
Typically in Django, you use the #login_required decorator in your views, and the Session middleware handles the implementation details (like clients who have cookies disabled, as you mentioned).
For other stuff that you can put in a cookie, you use the Httprequest.Cookies array.
Related
I want to use Django Rest Framework as an API and am looking for a way to "couple" the frontend / HTML/CSS/JS to it.
To put it in perspective, I am used to the way Django "usually" does it, by naming HTML templates and 'rendering' them when going to a particular URL.
Now, with DRF, it appears that this functionality has fallen away and everywhere I look it's just "react.js or vue.js" as the answers to consume the API.
What are my options for the front end? Can I not just do it all within the 'usual' Django framework, simply, as it was done before. And why do no resources talk about this?
Thanks, let me know if you require further info.
DRF is just additional layer for Django which help to implement API. You can use Django for render html on server side and serve it to browser. You don't need use DRF for it. But if you assume that you frontend app will be interactive, dynamic and complicated then it is not best way to solve it.
More popular approach suggest to separate it on frontend application (react or vue) and backend with REST API for interact with. It allow move all things related with UI on frontend app and only keep state on server.
By the way Django was developed for generate html on server and for site like this https://www.washingtontimes.com/news/ but world changing. Resources talk just about popular things
I have read a couple of articles about using new JS frameworks like Backbone.js or Ember.js
I have come up to this statement:
If I use a JS framework like Backbone.js/Ember.js, I then move the logic from the back-end (Django) to the front-end.
Therefore, will Django actually be used only for its Models?
Does that mean that Django Views and Django Template are not needed anymore and the Django back-end is kinda turn into a "basic" REST API that will be consumed by the front end.
Do you agree? Is it then the purpose of Django in this case?
Is turning the django backend into a REST API one of the most suitable use case when using a framework like Backbone.js/Ember.js for the front-end?
Thanks.
Django is perfectly fine to be used this way, you still get the admin, the models, the orm and all the third-party plugins. However, it isn't blazingly fast, so if you're doing simple document level, non-relational REST mapping, you might wan't to look into node.js and mongoDB for instance.
If you're sticking with django (like we are, we like the structure it gives us), you can use one of the REST plugins:
Django Rest Framework A perfect match since DRF 2.0, under very active development!
Django Tastypie (checkout backbone-tastypie.js for integration)
Django Piston (might be a bit stale or has development picked up lately?)
If you only want to work with frontend development, checkout the Backend-as-a-Service places like cloudmine.me or firebase.com that handle all backend stuff for you, for a price of course.
Django may seem unnecessary once you start thinking about single page solutions and Javascript applications, but if you want your site to be 'fail proof' it wouldn't be impossible to develop both a client side Javascript version of the site as well as a backend django side incase the user, or your site's javascript, fails at some level. Of course this requires creating your site twice, and probably isn't needed in the age of modern browsers, but such would be one of the few instances where you would mix the two for a complete solution.
Yes, that's about it. You can use it to manage authentication to resources and such and maybe use a main view for your application but you won't need to use the server side templating since these frameworks are made to work with json/xml response.
That's why a lot of people are moving to lighter backend/backbone or ember combo instead of a complete solution like django. You can also use your django for caching json response which makes your application appears faster.
We are doing that and use django-piston to make it easier on you.
Normally you make your entire website under Django and only one page will be a "single app page" using backbone.js, usually that page is a very interactive page, with lots of small updates that occur frequently and need to be shown very fast to the user. This page, because of the large number of changes and user interactions is constructed on the client-side so that you are using his PC resources and not the server's, the rest of the pages can use django because it offers you a very stable and secure framework for the server-side
I am using jetty basic auth to authenticate my application. The problem is that I have to close the browser to clear the authentication. I am looking for a custom code to do the same.
In other words how to logoff/sign off one you have been authenticated by jetty basic auth.
If I understand correctly, what I do in Firefox is select "Tools > Clear Recent History", check Active Logins, and click Clear Now. Took me a while to figure this out.
Assuming you're asking what I think you're asking, then this is a browser question and not a Jetty question.
It sounds like you simply want a way to get your web-browser to forget your username/password.
How you do that will depend on which browser you are using:
For Chrome read this
For FireFox try the Web-developer addon
Other browsers will probably have similar solutions.
If you want to do it from within the Jetty server, then that's much harder, but you can start reading here, here, here and here
Please read this fantastic post on Basic Authentication.
The answer is in the first paragraph.
How to force Jetty to ask for credentials with BASIC authentication after invalidating the session?
we have a Django web application running on Ubuntu/Apache. Lately, we've had a lot of issues with high volume spamming (comments, registrations, user contributed content, etc.).
We have CSRF security in place, but am wondering what steps others have taken to curb this (ip table restrictions, Apache modules, captchas, etc)?
In addition to what other posters already written, you can use akismet or mollom services. For both exist Python libraries on pypi, respectively akismet and PyMollom. You can see how they get integrated in a Django project here (akismet example) and here (mollom example).
If you instead don't want to rely on external services consider to use a captcha application for Django. Personally I used Django Simple Captcha and was happy with it, it's very customizable and easy to install. It also supports audio captcha. This bitbucket repo contains a simple Django project showing how to captcha protect a classic contact form using Django Simple Captcha.
Also I'm not sure that resorting to IP tables is the best way to prevent spam on your site, at least if you don't have to block usually annoying IP addresses.
Django CSRF protection is meant to protect your forms from cross-site request forgery, not from SPAM.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) will protect you from automated SPAM.
For human generated SPAM you can use a moderation system.
You might have a look at django-simple-math-captcha as an alternative to a text-based captcha. It's very simple to integrate and doesn't rely on any 3rd party systems.
I believe these issues are at the root design issues. Having a clear policy of who is allowed to post
can annonymous users post. Perhaps only allow registered users to post. Or have a set of permissions regarding who is allowed to post where.
Captchas are extremely easy way to weed out spamming. http://www.google.com/recaptcha
Recaptcha literally only takes a couple minutes to integrate, and is extremely effective.
Duplicate: this must be a duplicate of one of the questions that come up in the following search: Please close it as a duplicate if you agree, and add any answers to one of the other questions.
What is the most RESTful form of authentication? What websites use it? (so I can go look at the documentation).
Looking at some APIs that claim to be REST are really POX
(ex. Remember the Milk - http://www.rememberthemilk.com/services/api/methods/)
I don't know if this is the 'most RESTful' form, but Amazon's S3 uses an authentication method which is documented here. Each request is signed, so there is no session to track on the backend, but you can still securely verify what user issued the request.
The most RESTful authentication method is probably HTTP Basic. Because it has some significant weaknesses (replay attacks), most APIs tend to shy away from it.
Open Sourcery has a well-thought-out article on RESTful authentication. Sounds like there are no awesome solutions right now beyond simple user/pass auth over SSL and then keeping auth info in subsequent request headers.