来自Django的POST请求，以使用Django验证应用程序

Question

Ok, so this seems bad (and it probably is, but i have enough doubts at the moment that I want to try it).

I have a Django bases website with a jwplayer flash app embedded on one of the pages. The user has to login to get at that page. The jwplayer just plays an icecast stream.

What I would like/need to do is have it so that only authenticated users can get to the icecast server. At the moment if they grab the url from the webpage, they can get to it fairly trivially.

Icecast can authenticate via POST which I've setup in a django view.

So what I want is for the flashplayer to send the username and password of the user that is logged in, to icecast, which will then authenticate with the same username and password.

My problem is that django doesnt store the actual password, just a hash (a good thing) so I'm beginning to think that I cant really send the user and password to icecast for it to authenticate with.

My other thoughts were to just send the username, and check if that person has already authenticated.

But this would allow someone to listen if someone was already logged in.

Could I do something with a session variable or something?

Django guru's help me! Im open to all and any ideas.

Cheers

Mark.

Answer 1

Why not just have your flash player look for the Django session cookie and then validate against the web server that the user is logged in?

Add something like this to your urls:

(r'^loggedin/', logged_in_user),

Add a view something like this (not tested):

from django.http import HttpResponseForbidden
def logged_in_user(request):
    if request.user.is_authenticated():
        return HttpResponseForbidden()
    else:
        response = HttpResponse(mimetype='text/plain')
        response.write('ok')
        return response

Then just do a get on the /loggedin/ and check the return code, if it's 200 they are logged in if 401 they are not (assuming you are passing in the session cookies)