[Answer]-Hidden arguments from Javascript to Django view

I think you should not have url patterns based on critical information a potential attacker should not be able to see. This type of information should be passed to the server side using a POST request method in an encrypted ssl or tls request.

But for your usecase a better approach to achieve that is to :

1. use the FB javascript api to login on client side and get a FB token
2. send a POST https request to your backend and have your backend code requesting the user information using the FB Graph Api. (the ssl and tls request is necessary to pass the access_token information in POST mode, this is here the sensitive data)

#the view code
#import your user model here
import requests
from django.shortcuts import render_to_response

@POST_required
def login(request, facebookId):
    if token is not None:
        #query graph api
        r = requests.get('https://graph.facebook.com/{facebook_id}?fields=email,name&access_token={token}'.format({'facebook_id':facebook_id, 'token':token}))
        facebook_email = r.json()['email']
        facebook_name = r.json()['name']

        #check if first login
        try:
            user = Users.object.get(email=facebook_email, name=facebook_name)
        except Users.DoesNotExist:
            user = Users.objects.create(email=facebook_email, name=facebook_name)
        render_to_response('counter/login.html', dictionnary={'user':user}, context=RenderContext(request))




    #url conf code
    from django.conf.urls import patterns, url
    import views

    url_patterns = url('', 
        patterns(r'^(?Pw+)/login/$', views.login)