Login

Sessions and authentication without cookies

Author:
danfairs
Posted:
November 7, 2007
Language:
Python
Version:
.96
Tags:
middleware authentication string query session querystring cookie cookieless
Score:
1 (after 1 ratings)

The Session documentation rightly warns of the dangers of putting a session ID into a query string. Sometimes, however, you have to do it - perhaps your client has mandated support for browsers with cookies disabled, or perhaps (as in my case) you're just dealing with a slightly broken client browser.

This middleware pulls a session ID out of the query string an inserts it into the cookies collection. You'll need to include it in your MIDDLEWARE_CLASSES tuple in settings.py, before the SessionMiddleware.

Please read my full blog post about for the dangers of doing this, and for full instructions and examples.

1
2
3
4
5
6
7
8
9
from django.conf import settings

class FakeSessionCookieMiddleware(object):
    
    def process_request(self, request):
        if not request.COOKIES.has_key(settings.SESSION_COOKIE_NAME) \
            and request.GET.has_key(settings.SESSION_COOKIE_NAME):
            request.COOKIES[settings.SESSION_COOKIE_NAME] = \ 
              request.GET[settings.SESSION_COOKIE_NAME]

More like this

  1. CurrentSessionIDMiddleware by troolee 4 years, 8 months ago
  2. LocaleMiddleware without browser language discovery by ivellios 1 month ago
  3. Partial JSON template rendering by barbuza 7 years, 5 months ago
  4. Log all interaction with user to the DB by inuwashi 4 years, 2 months ago
  5. Add httponly to session cookie by rodolfo.3 4 years, 11 months ago

Comments

arne (on November 8, 2007):

I like this snippet, but one question came to my mind: what happens if i call the view with some arbitrary data instead of the session-id in the url (the content of request.GET[settings.SESSION_COOKIE_NAME])? Is there a possibility to inject/break anything here? I'm pretty sure this is not the case, but I would like to here some other opinions on this.

#

Please login first before commenting.