Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django session authentication and disabled cookies

Tags:

cookies

django

django-authentication

sessionid

Does session authentication in django have anaything to do with cookies?Would it work if a user has cookies disabled on his browser? Should django warn users if their browsers have cookies disabled?

like image 704
Apostolos Avatar asked Dec 20 '13 15:12

Apostolos

People also ask

Does Django authentication use cookies?

For security reasons, Django has a session framework for cookies handling. Sessions are used to abstract the receiving and sending of cookies, data is saved on server side (like in database), and the client side cookie just has a session ID for identification.

Will session work if cookies is disabled?

We can maintain a session with cookies but if the client disables the cookies, then it won't work.

What is difference between session and cookies in Django?

Cookies are client-side files on a local computer that hold user information. Sessions are server-side files that contain user data.

Are Django sessions cookies?

Django uses a cookie containing a special session id to identify each browser and its associated session with the site. The actual session data is stored in the site database by default (this is more secure than storing the data in a cookie, where they are more vulnerable to malicious users).

1 Answers

No, authentication is cookie-based - session ID stored in cookies!

The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort, as PHP does. This is an intentional design decision. Not only does that behavior make URLs ugly, it makes your site vulnerable to session-ID theft via the “Referer” header.

There is workarounds, for example you can put the session ID in the query string. Check this article: http://www.stereoplex.com/blog/cookieless-django-sessions-and-authentication-with

Warning from author: don't do what I'm about to describe unless you understand the potential security consequences

Middleware that get session id from request.GET and put it in request.COOKIES (FakeSessionCookie middleware has to be placed before the SessionMiddleware in settings.py):

from django.conf import settings

class FakeSessionCookieMiddleware(object):

    def process_request(self, request):
        if not request.COOKIES.has_key(settings.SESSION_COOKIE_NAME) \
            and request.GET.has_key(settings.SESSION_COOKIE_NAME):
            request.COOKIES[settings.SESSION_COOKIE_NAME] = \
                request.GET[settings.SESSION_COOKIE_NAME]

After authentication you should include session id as url (GET) parameter in all requests to server.

like image 65
ndpu Avatar answered Oct 05 '22 05:10

ndpu
Sign in to Comment

Related questions

Django custom unique together constraint
Mocking functions in Django's class based views
uWSGI not releasing memory
Django admin inline for deep relation
django admin page is giving me 500 error in production [duplicate]
Django template - dynamic variable name
How to use Dropbox as Django media files storage?
how to update request.user in django?
img HTML tag not honoring the HTTP Refresh header (but loading image URL in the browser does)
django-endless with class based views example
Django REST Framework: creating hierarchical objects using URL arguments
Use django-contrib-comments (the app) in new Django projects?
Django @property calculating a model field: FieldError: Cannot resolve keyword
how to retrieve data from mongodb database using django?
Dynamic show and hide fields in Django admin panel
How do I keep whitespace between {% blocktrans %} and {% plural %} tags without causing msgfmt errors?
can't run the python-social-auth example django app
Django - logging changes to a model
Does not work autocomplete with EdgeNgramField using haystack and engine Elasticsearch (Django)
uWSGI runs wrong version of Python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!