Django login/ Payload-CodePudding

The bounty expires in 7 days. Answers to this question are eligible for a 50 reputation bounty. Hemal Patel is looking for a canonical answer:

I just want to understand this flow? i already talked to one of my senior but he said this is normal and every site has this weakness or whatever we define it. you can encrypt it with available encryption algorithms but it's not fully protected. That can be also reversed. So i want to know how can i make secure in best way possible?

This is weird. I have created login functions so many times but never noticed this thing. when we provide a username and password in form and submit it. and It goes to server-side as a Payload like this. i can see below data in network tab function payload.

csrfmiddlewaretoken: 
mHjXdIDo50tfygxZualuxaCBBdKboeK2R89scsxyfUxm22iFsMHY2xKtxC9uQNni
username: testuser
password: 'dummy pass' #same as i typed(no encryption)

I got this in the case of Incorrect creds because the login failed and it won't redirect to the other page. but then I tried with Valid creds and I set the Preserve log turned on in the Chrome network tab. then I checked there and still, I can see the exact entered Username and password. for the first time, I thought i might have missed some encryption logic or something else i dont know. but then i tried with multiple Reputed tech companies's login functionality and i can still see creds in the payload. Isn't it wrong?

It's supposed to be in the encrypted format right?

Models.py

from django.contrib.auth.models import User

class Profile(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE)

html

<form method="POST"  novalidate>
    {% csrf_token %}
    <div >
       <input type="email" id="txt_email"  
          placeholder="Username or email address" required />
     </div>
  <div >
        <input type="password" id="txt_password"  
         placeholder="Password" required />
  </div>

                    <div >
                      <button  type="submit" id="btn_login"><i  aria-hidden="true"> </i> Sign in</button>
                      <div  id="lbl_error" role="alert" style="display: none;">

                      </div>

                    </div>

</form>

def authcheck(request):
    try:
        if request.method == "POST":
            username = request.POST["username"]
            password = request.POST["password"]
            user = authenticate(username=username, password=password)
            if user is not None:
                check_is_partner = Profile.objects.filter(user__username=username, is_partner=True).values("password_reset").first()
                if check_is_partner and check_is_partner['password_reset'] is True:
                    return JsonResponse(({'code':0 ,'username':username}), content_type="json")
                if check_ip_restricted(user.profile.ip_restriction, request):
                    return HttpResponse("ok_ipr", content_type="json")
                login(request, user)
                session = request.session
                session["username"] = username
                session["userid"] = user.id
                session.save()
                if check_is_partner:
                    return HttpResponse("1", content_type="json")
                else:
                    return HttpResponse("ok", content_type="json")
            else:
                return HttpResponse("nok", content_type="json")
    except Exception:
        return HttpResponse("error", content_type="json")

CodePudding user response：

The data you're seeing in Chrome DevTools is from before it gets encrypted.

If you were to, say, run tcpdump or wireshark when you make the request, you'd see that it is encrypted over the network, but it's not encrypted on your local machine.

When you type in your username and password into the html form and press submit, they're not encrypted yet.

Similarly, you are able to see the response data (status code, headers, payload) to these requests in Chrome Dev Tools. This is showing you what the data looks like after it's been decrypted.

Here's a similar answer to a similar question: https://stackoverflow.com/a/16306925/9638991.