Intro
I am working on an e-commerce website. And we want to add a feature where a user can refer others via a custom link e.g.:
http://example.com/a1t2312 or http://example.com/?ref=a1t2312 (a1t231 being the referral code).
A user following such a link, will navigate a few pages on the site. And if he reached the 'buy' page and purchases something - the original referrer will get a discount.
The question is:
What is the best method to track the referral code? Put it in the user's cookies? Stick it somehow into the session? Other method?
I would definitely use cookies, as it is the easiest (but not foolproof, though). Sessions are by site, so that won't work, unless the receiving site has some code to handle the user.
All methods mentioned by you are OK. If I were you I would consider using sessions because it is more natural to me.
disclaimer: session has some limitations when you want to build application ready for heavy-load. For complicated demployment scenarios avoiding sessions might be a good choice.
Related
I need to track unregistered users in my Django website. This is for conversion optimization purposes (e.g. registration funnel, etc).
A method I've used so far is using IP address as a proxy for user_id. For various well-known reasons, this has led to fudged/unreliable results.
Can I sufficiently solve my problem via setting a session variable at server-side? An illustrative example would be great.
For example, currently I have a couple of ways in my head. One is doing request.session["temp_id"] = random.randint(1,1000000), and then tracking based on temp_id.
Another is setting a session variable every time an unauthorized user hits my web app's landing page, like so:
if not request.session.exists(request.session.session_key):
request.session.create()
From here on, I'll simply track them via request.session.session_key. Would this be a sound strategy? What major edge-cases (if any) do I need to be aware of?
Cookies are the simplest approach, but take into consideration that some users can have cookies turned off in their browsers.
So for those users you can use javascript local storage to set some data. This information will get deleted once you close the browser, but it's ok for funneling purposes. Still others can have javascript turned off.
Another approach would be to put custom data(key) in every link of the page when generating the template. in other words you would have the session_id stored in html page and send through url parameters at click. Something similar happens with csrf token. Look into that.
I am fairly new in web development and I decided to handle a user's availability to send a POST request to server. However, I do not know even whether it is possible or not but when a user close my Django site without using logout button (For example close the browser or tab), in order to understand the user is offline or online, I want to send a request to server. As a result, when the server does not get an answer from the user for a while, it automatically logout the user.
Can you tell me is it a good way to handle a user's availability and first of all is it a realistic solution? If it is, can you suggest me a document or example that helps me please.
I agree to to the answer of #Mounir. That's not related to django, if you want to know when a user is "disconnected"(close the tab or window) you need to use javascript, in concrete you need to use Sockets.
I recommend you this ones:
http://socket.io/
https://github.com/centrifugal/centrifugo
I'm using centrifugo for one project right now. In concrete, for chat and inbox messaging. It's very simple to make it run with Django.
Greetings
For logging out user you can use the Session expiration, but for all other staff you want to achieve I don't see any thin really related to Django itself, everything depend on your requirements and is more Browser/javascript related than Django.
PHP
My website is almost done, but i'm having some problems with security. Actually, i didn't have problems yet, but i need to prevent. For example, the login system, i'm using cookies/session for it. And as people answered here, cookies are easy to overcome, and it's vunerable.
What is the best way to do a login system, including the passwords and data security?
Also, i'm using cookies for write the names of the users on posts. For example.
(Pretending that the login was successful)
$Cookie = $_COOKIE['username'];
$Cookie = $FetchUserNameFromDatabase;
//Then, on posts to write the name of the user, from the cookie.
$DoPost = "INSERT INTO posts (username, message) VALUES ($Cookie, $AnyMessage)";
Is this the best way to write the users name on posts, from a cookie value (since after login, the name of the user is saved on a cookie)?
IF NOT, what is the best way to do it?
Thanks in advanced.
#EDIT
I forgot to ask. Also, what's the best way to prevent people do a lot of comments (mass-spam)? For example, i do a comment (or a vote, or whatever) and works fine. Then, i do another comment and it blocks me for some time and i can't comment again until this time expires. What's the best way to do it, or at least, what the major sites/forums uses to prevent it?
Thanks again.
Why don't you just use session ids? I'd implement a login using a https connection, then assign a sessionid, wich identifies the user against your db. For further reference you won't even need a secure connection anymore.
In case you want to identify a post just use somthing like "SELECT username FROM users WHERE sessid=" . session_id()
In point of view, you should only use cookie information when you perform an operation that DOES NOT change the state of your application; like displaying the User name in the top of a page.
However in every scenario that you application is changing its state like adding a new POST (in your example) you definetly must not trust the client cookies.
To answer "The best way to do it", it depends on what technologies your are relying on.
Edit:
To prevent mass spam you should use the cookie information and the request information the like IP address.
I'm building a Django-based review website where public users create all of the content on the site. Users create reviews for given items and they also create the items themselves that will be reviewed (providing a description and brief summary of the item, along with a few tags).
My question is this: Should I be using Django's admin features for this website (as in, exposing admin controls to the public users)? Or should I just stick with normal forms? I'm not too familiar with the admin-aspect of Django, and so far I've just been using forms for the website, but I've seen a lot of people talking about Django's admin features, and I'm starting to wonder if I should be using them.
Thanks for any feedback!
Maybe. If the admin functionality covers most of what you want to offer, there's no reason why you shouldn't use it as a starting point.
django.contrib.admin is an application like any other, and provides basically a CRUD interface to your models. Access can be controlled via groups/permissions, just like you would for an application you write yourself. You can give full access to a model with a one-liner, but obviously will have to configure properly when opening up to others.
See also my question
Django AdminSite/ModelAdmin for end users?
and similar questions Exposing django admin to users. Harmful? and How to make Django admin site accessed by non-staff user?
Regarding arguments about the "intended use" of the admin, please note Django's security update at the end of last year: http://www.djangoproject.com/weblog/2010/dec/22/security/ regarding querystring parameters in object lists. Such an update (quote: "an attacker with access to the admin [...]") is a clear indication that the admin's implementation of the permission system is being constantly scrutinized.
No. The django admin is not intended for any end-user.
The django admin feature is intended to assist the website developer, and that is all. Even usage by site administrators is contra-indicated, although in practice most small sites get away with it since they're only talking a few people who can call on the developer personally if they get into trouble.
For your purposes, the review items and the workflow in creating the items is a critical part of your application feature set. The admin will give you ideas, but it would be a mistake to attempt to build your application upon it.
I wouldn't expose the admin interface to regular users. You can use the authentication and user-management side (for your purposes), but it's usually best practice to give users a separate way to manage their objects. You also don't run as much of a risk of granting the wrong privileges to users (or allowing them to grant their own).
Have a read though the docs if you want a better overview about what it can do.
Just fishing for ideas here.
Do any of the major template presentation frameworks (such as Smarty, Django) have prebuilt login/security handling? I want to save time on the security handling because it will consume a lot of time to worry about that. I want to build a site from ground up but I dont really want to go so far as starting with a completed content management system like Joomla or Drupal... thats way overkill. I prefer Java, C#, or PHP and I want to start from as close to "scratch" as I can.
Yes, Django has a complete authentication/authorization framework - see the docs here.
For registration, James Bennett's add-on project django-registration is excellent and popular.
Edited after comment: Django itself supplies the mechanism for allowing admins to create user credentials, storing them in the db, validating them on login, and restricting access to areas of the site based on privileges.
django-registration provides the mechanism for a user to sign up for a username via the site, via an email with a one-time confirmation URL which sets the login up as valid. There are various other plug-in projects which provide variations on this userflow, which may be useful depending how you want your site to work.