CODEWITHSUNDEEP
pythondjangoauthenticationdjango-rest-frameworkjwt
Tim
Tim

Reputation: 1069

Implement "Remember Me" Django

I'm currently trying to implement "Remember Me" feature in Django.

I'm using both SessionAuthentication from Django REST framework and JSONWebTokenAuthentication from djangorestframework-jwt.

However, I don't know how to implement the concept of "Remember Me" for these two authentications. Like how do I extend the session forever and how do I extend the token forever (I'm using JWT auth for mobile & desktop - Session auth for browser).

Also, what is the secure way to implement this feature for both authentications?

Upvotes: 4

Views: 9629

Answers (3)

Abhisek
Abhisek

Reputation: 464

Dependencies

from django.shortcuts import render
from django.http import JsonResponse
from django.views.decorators.csrf import csrf_exempt
from django.contrib.auth import authenticate
from site_user.models import User

This code will revoke username and password from session when we are at login page

def home(request):
    if request.session.has_key('username') and request.session.has_key('password'):
        username = request.session['username']
        password = request.session['password']
        context_dict = {'username': username, 'password': password}
        return render(request, 'sadmin/login.html', context=context_dict)
    else:
        context_dict = {'username': '', 'password': ''}
        return render(request, 'sadmin/login.html', context=context_dict)

The following code is used for user authentication. Here 'is_remember_check' checkbox field from HTML file

@csrf_exempt
def login(request):
    if request.method == "POST":
        if request.POST['is_remember_check'] == 'true':
            request.session['username'] = request.POST['username']
            request.session['password'] = request.POST['password']

        user = authenticate(username=request.POST['username'], password=request.POST['password'])

        if user is not None:
            return JsonResponse({'result': request.POST, 'status': True})
        else:
            return JsonResponse({'result': request.POST, 'status': False})

AJAX call from login page

function login(){
    remember_checkbox_value = document.getElementsByName('remember')[0].checked;
    username = document.getElementsByName('username')[0].value;
    password = document.getElementsByName('password')[0].value;
    var post_data = {username:username, password:password, is_remember_check:remember_checkbox_value};

    $.ajax({
                url: '/sadmin/login/',
                method: 'POST',
                data: post_data,
                dataType: 'json',
                success: function (response) {
                        if (response.status){
                        alert("User login is successful");
                        window.location.reload();
                        }
                        else{
                        alert("User login is not successful");
                        window.location.reload();
                        }
                }
        });
}

HTML Code

<div class="form-actions">
            <label class="checkbox">
            <input type="checkbox" name="remember"/> Remember me </label>
            <button type="button" class="btn green-haze pull-right" onclick="login()">Login <i class="m-icon-swapright m-icon-white"></i>
            </button>
        </div>

Upvotes: -1

Nids Barthwal
Nids Barthwal

Reputation: 2419

In setting file you have to set:

SESSION_EXPIRE_AT_BROWSER_CLOSE = True

In template :

provide a checkbox with name="remember_me" value="1"

In login function (view.py or ajax.py) write this code when username and password matches,

try:
    remember = request.POST['remember_me']
    if remember:
        settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = False
except MultiValueDictKeyError:
    is_private = False
    settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = True

Upvotes: -1

Kevin Brown-Silva
Kevin Brown-Silva

Reputation: 41671

There are a few things here that I should make clear ahead of time: how authentication works and where expiration comes into play for SessionAuthentication and JSONWebTokenAuthentication.

Session Authentication

The SessionAuthentication class provided by Django REST framework is really just small layer over the session framework provided by Django. So if you can implement a "remember me" function in Django using their sessions, DRF will also inherit it.

Luckily, someone already asked about that on Stack Overflow: Django “Remember Me” with built-in login view and authentication form

Basically it comes down to changing the SESSION_COOKIE_AGE setting (2 weeks by default) to a very high number. Also make sure to keep in mind the implications of having long-lived sessions, and perhaps check out how long the session cookies are by default on websites you visit (typically anywhere from 2 weeks to 6 months).

JSON Web Tokens

The JSONWebToken authentication class provided by django-rest-framework-jwt authenticates requests based on JSON Web Tokens. By default, tokens expire in five minutes but can be refreshed for up to seven days.

The token expiration time is controlled by the JWT_EXPIRATION_DELTA setting. It is not recommended to extend this time too large, but instead use refresh tokens for long-lived tokens. You can enable refresh tokens with the JWT_ALLOW_REFRESH setting and control the expiration time with the JWT_REFRESH_EXPIRATION_DELTA setting.

Upvotes: 8

Related Questions