Django session authentication and disabled cookies

Question

Does session authentication in django have anaything to do with cookies?Would it work if a user has cookies disabled on his browser? Should django warn users if their browsers have cookies disabled?

Answer 1

No, authentication is cookie-based - session ID stored in cookies!

The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort, as PHP does. This is an intentional design decision. Not only does that behavior make URLs ugly, it makes your site vulnerable to session-ID theft via the “Referer” header.

There is workarounds, for example you can put the session ID in the query string. Check this article: http://www.stereoplex.com/blog/cookieless-django-sessions-and-authentication-with

Warning from author: don't do what I'm about to describe unless you understand the potential security consequences

Middleware that get session id from request.GET and put it in request.COOKIES (FakeSessionCookie middleware has to be placed before the SessionMiddleware in settings.py):

from django.conf import settings

class FakeSessionCookieMiddleware(object):

    def process_request(self, request):
        if not request.COOKIES.has_key(settings.SESSION_COOKIE_NAME) \
            and request.GET.has_key(settings.SESSION_COOKIE_NAME):
            request.COOKIES[settings.SESSION_COOKIE_NAME] = \
                request.GET[settings.SESSION_COOKIE_NAME]

After authentication you should include session id as url (GET) parameter in all requests to server.