I'm still pretty new to Django and I'm looking to write a login method. What's the best logic for doing that and storing the info in a session so a user can maintain their login?
I have a model for authentication which looks like this:
class User(models.Model):
email_address = models.CharField(max_length=128)
password = models.CharField(max_length=128) # sha512 of password w/salt
password_salt = models.CharField(max_length=128) # sha512 of random number as salt
Essentially, I'd write a login method for a view like this:
@ratelimit_post(minutes = 1, requests = 5, key_field = 'email_address')
def login(request):
requestedUser = User.objects.get(email_address=request.POST['email_address'])
if requestedUser == None:
fail_no_user()
passwordHash = sha512(request.POST['password'] + requestedUser.password_salt)
if requestedUser.password != passwordHash:
fail_wrong_password()
else:
request.session['user_id'] = user.id
request.session['is_auth'] = True
success_login()
Is this a secure way of processing logins and sessions with Django? Since I'm kind of still new, I'm not sure whether this is an accepted approach. Is there anything security and performance-wise which I'm missing here?
Probably the best option is to create your own backend.
See the docs here: https://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend
Writing an authentication backend
An authentication backend is a class that implements two methods: get_user(user_id) and authenticate(**credentials).