Avoid passing login data in plain text

logikonabstractions · November 4, 2022, 6:08pm

Hey,

Using the standard django auth, if I currently try to login as a user and observer the request in the console, I see the user/password in plain text:

My login form:


from django.contrib.auth.forms import AuthenticationForm
from django.forms.widgets import TextInput, PasswordInput
from django import forms


class MyAuthForm(AuthenticationForm):
    username = forms.CharField(widget=TextInput(attrs={"placeholder":"Votre nom d'utilisateur", "type":"text", "class":"form-control form-control-user", "id":"id_username"}))
    password = forms.CharField(widget=PasswordInput(attrs={"placeholder":"Votre mot de passe", "type":"password", "class":"form-control form-control-user", "id":"id_password"}))

And the template:

                                    <form class="user" action="{% url 'registration:login' %}" method="post">
                                        {% csrf_token %}
                                        {% for field in form%}
                                            {{field}}
                                        {% endfor %}
                                        <input type="submit" class="btn btn-primary btn-user btn-block" value="login">
                                    </form>

The frontend is straight jquery. Any good way to:

send an encrypted version of that login info to the server so it doesn’t travel as plain text in the network
have that encrypted string work out well server-side for auth

CodenameTim · November 4, 2022, 6:49pm

send an encrypted version of that login info to the server so it doesn’t travel as plain text in the network

If you’re using a POST and HTTPS, this is already happening. Is there something that is lacking from https that you’re trying to achieve?

logikonabstractions · November 4, 2022, 7:03pm

Ah yes, I think I forgot to add that I can sometimes be a complete idiot in my initial question.

I tested this on localhost instead of the deployed website; so obviously I’m going to see plain text in the request details.

Thanks for pointing out I was being an idiot without actually saying so.

KenWhitesell · November 4, 2022, 7:38pm

Note: Keep in mind that even if you were using HTTPS, that encryption happens after the console has had a chance to capture the data - you’ll still see the unencrypted data there. (You can verify this by looking at your network tab for any https transmissions.)

Topic		Replies	Views
Authentication Form Customize, Doubles Field. Forms & APIs	2	2032	June 14, 2022
Django how to secure hidden input fields and prevent forms submitting if value changed? Using Django	12	11440	August 9, 2021
How to repair empty string in password from ModelForm? Forms & APIs	3	590	August 6, 2022
SetPasswordForm - changes password, but login fails :( Forms & APIs	8	785	October 14, 2023
Custom form error display Using Django	8	5179	December 1, 2021

Avoid passing login data in plain text

Related Topics