Avoid passing login data in plain text

Using Django Deployment
1

Hey,

Using the standard django auth, if I currently try to login as a user and observer the request in the console, I see the user/password in plain text:

image

My login form:


from django.contrib.auth.forms import AuthenticationForm
from django.forms.widgets import TextInput, PasswordInput
from django import forms


class MyAuthForm(AuthenticationForm):
    username = forms.CharField(widget=TextInput(attrs={"placeholder":"Votre nom d'utilisateur", "type":"text", "class":"form-control form-control-user", "id":"id_username"}))
    password = forms.CharField(widget=PasswordInput(attrs={"placeholder":"Votre mot de passe", "type":"password", "class":"form-control form-control-user", "id":"id_password"}))

And the template:

                                    <form class="user" action="{% url 'registration:login' %}" method="post">
                                        {% csrf_token %}
                                        {% for field in form%}
                                            {{field}}
                                        {% endfor %}
                                        <input type="submit" class="btn btn-primary btn-user btn-block" value="login">
                                    </form>

The frontend is straight jquery. Any good way to:

  • send an encrypted version of that login info to the server so it doesn’t travel as plain text in the network
  • have that encrypted string work out well server-side for auth
2

send an encrypted version of that login info to the server so it doesn’t travel as plain text in the network

If you’re using a POST and HTTPS, this is already happening. Is there something that is lacking from https that you’re trying to achieve?

3

Ah yes, I think I forgot to add that I can sometimes be a complete idiot in my initial question.

I tested this on localhost instead of the deployed website; so obviously I’m going to see plain text in the request details.

Thanks for pointing out I was being an idiot without actually saying so.

4

Note: Keep in mind that even if you were using HTTPS, that encryption happens after the console has had a chance to capture the data - you’ll still see the unencrypted data there. (You can verify this by looking at your network tab for any https transmissions.)