Django snippets: Sessions and authentication without cookies

Sessions and authentication without cookies

from django.conf import settings

class FakeSessionCookieMiddleware(object):
    
    def process_request(self, request):
        if not request.COOKIES.has_key(settings.SESSION_COOKIE_NAME) \
            and request.GET.has_key(settings.SESSION_COOKIE_NAME):
            request.COOKIES[settings.SESSION_COOKIE_NAME] = \ 
              request.GET[settings.SESSION_COOKIE_NAME]

More like this

CurrentSessionIDMiddleware by troolee 1 year, 6 months ago
Add httponly to session cookie by rodolfo.3 1 year, 10 months ago
apache authentication via cookies by sean 4 years, 11 months ago
Require login by url by zbyte64 3 years, 6 months ago
Admin Input Field Character Count via jQuery by joshman 3 years, 2 months ago

The Session documentation rightly warns of the dangers of putting a session ID into a query string. Sometimes, however, you have to do it - perhaps your client has mandated support for browsers with cookies disabled, or perhaps (as in my case) you're just dealing with a slightly broken client browser.

This middleware pulls a session ID out of the query string an inserts it into the cookies collection. You'll need to include it in your MIDDLEWARE_CLASSES tuple in settings.py, before the SessionMiddleware.

Please read my full blog post about for the dangers of doing this, and for full instructions and examples.

Author:: danfairs
Posted:: November 7, 2007
Language:: Python
Django Version:: .96
Tags:: authentication query session querystring cookie cookieless middleware string
Score:: 1 (after 1 ratings)

Tools

Comments

arne (on November 8, 2007):

I like this snippet, but one question came to my mind: what happens if i call the view with some arbitrary data instead of the session-id in the url (the content of request.GET[settings.SESSION_COOKIE_NAME])? Is there a possibility to inject/break anything here? I'm pretty sure this is not the case, but I would like to here some other opinions on this.

danfairs (on November 8, 2007):

If you were able to figure out someone else's session id, then plonking it in the query string would let you hijack someone else's session. That's why people go to some lengths to make this ids relatively hidden (though they're obviously available in the HTTP payload for non-SSL sites).

I'm taking a look at the Django session code now. What actually happens looks like it's dependent on the session backend that you're using. In the case of the db backend, the machinery recreates your own session with a different key:

(formattings not working for some reason, refer to the django source for clarity!)

` def load(self): try: s = Session.objects.get( session_key = self.session_key, expire_date__gt=datetime.datetime.now() ) return self.decode(s.session_data) except (Session.DoesNotExist, SuspiciousOperation):

        # Create a new session_key for extra security.
        self.session_key = self._get_new_session_key()
        self._session_cache = {}

        # Save immediately to minimize collision
        self.save()
        return {}

The file backend does something similar. The in-memory cache, interestingly, doesn't - you just get an empty session.

The relevant code is all in django.contrib.sessions.

Django snippets

Sessions and authentication without cookies

More like this

Tools

Comments

Snippets

About