Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store objects in back-end sessions in Django just like Django stores User

I'm creating a webapp in Django. I already run through Django tutorials from https://docs.djangoproject.com/en/dev/intro/ and part of documentation

I have a question how to store additional data between requests on the server-side. Django does it really cool with users as follows:

in views.py:

def login_user(request):
    if request.POST:
        username = request.POST.get('username')
        password = request.POST.get('password')

        user = authenticate(username=username, password=password)
        if user is not None:
            if user.is_active:
                login(request, user)
                return HttpResponseRedirect(settings.LOGIN_REDIRECT_URL)

now in another function you can use the information stored in back-end which is associated via csrf token like this:

in views.py

@login_required
def myappformmethod(request):
    user = request.user
    msg = 'hello '+user.username

the generated html file does not contain any direct information about the user which is logged, but it keeps the csrf token as a form field:

<form name="myform" action="/myapp/myappformmethod" method="post" onsubmit="prepare()">
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='NwKW2lFWSkkNEasdd3ExHe1l5ltzQi' /></div>

I would like to store some session-related data (e.g. favourite color) that will not be visible in html, but will be stored on server side and will be available using something like:

if request.favourite_color:
    color = request.favourite_color

and not using

if request.POST.get('favourite_color'):
    request.POST.get('favourite_color')

which is vulnerable to manual form element manipulation (if passed using form fields [type:hidden does not help, since you can edit them as well])

The aproriate approach would be adding field to request and producing something like "login" method mentioned earlier ... but how to do it?

Thanks!

like image 960
Jacek Serafinski Avatar asked Aug 28 '12 17:08

Jacek Serafinski


People also ask

How does Django store data in a session?

By default, Django saves session information in database (django_session table or collection), but you can configure the engine to store information using other ways like: in file or in cache. When session is enabled, every request (first argument of any view in Django) has a session (dict) attribute.

How do I end a session in Django?

To delete a session or any particular key of that session, we can use del. The output will look like this and don't worry if your cookie didn't delete because we use this method only to delete your data in the Django database and not the session ID and cookie itself.

How long do sessions last Django?

As you mentioned in your question, sessions in Django live for as long as SESSION_COOKIE_AGE determines (which defaults to 2 weeks) from the last time it was "accessed". Two exceptions for that: you can set an expiry time to a session yourself, and then it depends on that.

How would you describe session in context of Django framework?

Sessions framework can be used to provide persistent behaviour for anonymous users in the website. Sessions are the mechanism used by Django for you store and retrieve data on a per-site-visitor basis. Django uses a cookie containing a special session id. INSTALLED_APPS has 'django.


1 Answers

The feature you're looking for is called "sessions" and is supported by Django directly:

https://docs.djangoproject.com/en/dev/topics/http/sessions/

... and here are two examples from that page:

request.session['fav_color'] = 'blue'

fav_color = request.session['fav_color']
like image 170
user9876 Avatar answered Oct 12 '22 12:10

user9876