这太奇怪了.我创建了很多次登录函数,但从未注意到这一点.
当我们在表单中提供用户名和密码并提交它时,它会像这样作为Payload
发送到服务器端,我可以在Chrome DevTools网络选项卡中看到数据:
csrfmiddlewaretoken:
mHjXdIDo50tfygxZualuxaCBBdKboeK2R89scsxyfUxm22iFsMHY2xKtxC9uQNni
username: testuser
password: 'dummy pass' #same as i typed(no encryption)
我在不正确的凭据的情况下得到了这个,因为登录失败,它不会重定向到另一个页面.
但后来我try 了有效的证书,并选中了Chrome网络选项卡中的Preserve log
框.然后我在那里判断,我仍然可以看到准确的输入Username
和password
.起初,我以为我可能遗漏了一些加密逻辑之类的东西.
但后来我try 了多家著名科技公司的登录功能,我仍然可以在有效载荷中看到凭据.这不是错的吗?
它应该是加密格式的,对吗?
Models.py
from django.contrib.auth.models import User
class Profile(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE)
HTML
<form method="POST" class="needs-validation mb-4" novalidate>
{% csrf_token %}
<div class="form-outline mb-4">
<input type="email" id="txt_email" class="form-control"
placeholder="Username or email address" required />
</div>
<div class="form-outline mb-4">
<input type="password" id="txt_password" class="form-control"
placeholder="Password" required />
</div>
<div class="d-grid gap-2">
<button class="btn btn-primary fa-lg gradient-custom-2 login_btn" type="submit" id="btn_login"><i class="fa fa-sign-in" aria-hidden="true"> </i> Sign in</button>
<div class="alert alert-danger" id="lbl_error" role="alert" style="display: none;">
</div>
</div>
</form>
登录视图
def authcheck(request):
try:
if request.method == "POST":
username = request.POST["username"]
password = request.POST["password"]
user = authenticate(username=username, password=password)
if user is not None:
check_is_partner = Profile.objects.filter(user__username=username, is_partner=True).values("password_reset").first()
if check_is_partner and check_is_partner['password_reset'] is True:
return JsonResponse(({'code':0 ,'username':username}), content_type="json")
if check_ip_restricted(user.profile.ip_restriction, request):
return HttpResponse("ok_ipr", content_type="json")
login(request, user)
session = request.session
session["username"] = username
session["userid"] = user.id
session.save()
if check_is_partner:
return HttpResponse("1", content_type="json")
else:
return HttpResponse("ok", content_type="json")
else:
return HttpResponse("nok", content_type="json")
except Exception:
return HttpResponse("error", content_type="json")