Django即服务登录和注销
[英]Django as a service login and logout
问题描述
I have a rest API in Django 1.6 but I'm not using any library like django-tastypie or other to do that. 
我在Django 1.6中有一个rest API,但是我没有使用django-tastypie之类的库或其他库来做到这一点。 I just write my endpoints (urls.py) and return json data in my views.py. 我只是编写端点(urls.py),然后在views.py中返回json数据。 For authentication I'm using django basic auth provided. 为了进行身份验证,我使用了提供的django基本身份验证。 So in every request made by front-end I check request.user.id and with that work to know if that user has access to a certain resource in other words I'm using login session data that django puts when front-end calls login endpoint. 因此,在前端发出的每个请求中,我都会检查request.user.id并通过该工作来知道该用户是否有权访问特定资源,换句话说,我正在使用django在前端调用login时放置的登录会话数据端点。 Am I incurring safety issues doing this? 我这样做会引起安全问题吗?
1 个解决方案
解决方案1
0 已采纳 2014-01-19 21:59:52
I don't think so. 我不这么认为。 If this is safe for using on web pages, why should it be a problem for API calls? 如果可以安全地在网页上使用,为什么API调用会出现问题?
If you are really worried about someone getting session IDs, use SSL to encrypt your communication. 如果您真的担心有人会获得会话ID,请使用SSL加密您的通信。 But that should be the same for web resources as well, you should use https if you don't want session cookies to be stolen. 但这对于Web资源也应该相同,如果您不希望会话cookie被盗,则应该使用https。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.