tags:

views:

41

answers:

2
+1  Q: 

Django: Login from page outside django

Maybe it's a stupid question, but I'm trying to login to my django app using a form that is outside django. My guess is that I could send a POST request to /login, but that would fail because of the csrf token.

Maybe I'm missing some kind of theoretical background, but I would like to know what's the correct way to achieve this.

Background info: The django authentication is working fine IF you use the django login forms. What I'd like to do is to use an external static html form (on an apache outside django), to post to django directly so when I redirect to my django server, I don't have to login.

A: 

CSRF exists to prevent exactly this. Although you no doubt have good intentions, there's no technical difference between this and a hacker trying to steal access to your site via a real CSRF attack.

Daniel Roseman  2010-10-21 13:03:31
I don't get how this could be dangerous, I want to redirect the user from my non-django-site to my django-site. I mean, I won't use any functionality from my other site, I just want to make a full redirection, and using the credentials from the "original" site, so I'm not asking for any info on the django side.
Doppelganger  2010-10-21 13:18:48
He's saying that you can't just "post" to your form without CSRF checks because if you then can anyone can (including those with nefarious intentions), and you don't want that.
Andrew Sledge  2010-10-21 13:33:47
But I'm actually posting login info, so, anyone with said login info could somehow impersonate the user.
Doppelganger  2010-10-21 13:47:30
A: 

Sounds like you need a single-signon service like CAS: http://code.google.com/p/django-cas/

(but it's possible overkill)

Andrew Sledge  2010-10-21 13:35:20
It looks interesting but, yes, it's overkill. I don't want to centralize anything (which would be maybe a more efficient solution), I just have an html form hosted in another server, and I have the strings for login and password. So, I would like to take advantage of having that info and have the user logged in in the django server after being redirected.
Doppelganger  2010-10-21 14:06:58

related questions

Django: Print url of view without hardcoding the url
Django Calendar Widget?
Can the HTTP version or headers affect the visual appearance of a web page?
Project design / FS layout for large django projects
Extending the User model with custom fields in Django
How to generate urls in django
Always including the user in the django template context
Screencasts for Django/Python?
Using Django time/date widgets in custom form
How do I add data to an existing model in Django?
Setup django with WSGI and apache
Altering database tables in Django
Django Templates and variable attributes.
Django ImageField core=False in newforms admin
How can I render a tree structure (recursive) using a django template?
Cleanest & Fastest server setup for Django
Unicode vs UTF-8 confusion in Python / Django?
Does Hostmonster support Django
Specifying a mySQL ENUM in a Django model
Represent Ordering in a Relational Database
updating an auto_now DateTimeField in a parent model w/ Django
Version track, automate DB schema changes with django
Learning Ruby on Rails any good for Grails?
What Hosting Service is best for Django applications?
Class views in Django