Authenticating an Android or iPhone app to a Django backend

Question

I have a webapp that is built with Django. It works fine for use on the web, but now I am building a Android app. I am not sure how to go about authenticating the Android app the the Django backend, securely.

This webapp has user profiles. A user can register/login/logout using the web interface. The relevant part of urls.py looks like this:

urlpatterns += patterns('',
  url(r'^accounts/login/$', 'django.contrib.auth.views.login', name='login'),
  url(r'^accounts/logout/$', 'django.contrib.auth.views.logout', name="logout"),
)

My understanding is that after the user successfully completes accounts/login there is some cookie deposited on the browser which is used for the rest of the connections. Is this correct?

When on an Android device, given a username and password, what is the proper or best way authenticate the user to the Django backend? Do I need to get the cookie like in the browser or is there a better way?

Answer 1

There's a couple of ways you could do authentication, but using the existing Django session support and the cookies it uses is probably the best way.

When you connect to a Django page with the Session Middleware enabled (which you need for login) it'll set a session cookie (generally called 'sessionid', although you can customise that). The users (not) logged in state is stored server-side in a session linked by this session id (unless you're using the cookie-based sessions but's that's an item for another post).

So your Android app can just get the login page, fish out the sessionid (and csrftoken) cookies and then make a post with the username, password, sessionid and csrftoken.

That's the easy way. There's more complex options, which mostly involve making a custom view that spits back JSON and generally starts providing an API for your mobile apps as opposed to make them pretend they're browsers, but that's somewhat more complex on the Django side.