Menu
I'm creating a webapp in Django. I already run through Django tutorials from https://docs.djangoproject.com/en/dev/intro/ and part of documentation
I have a question how to store additional data between requests on the server-side. Django does it really cool with users as follows:
in views.py:
def login_user(request):
if request.POST:
username = request.POST.get('username')
password = request.POST.get('password')
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
return HttpResponseRedirect(settings.LOGIN_REDIRECT_URL)
now in another function you can use the information stored in back-end which is associated via csrf token like this:
in views.py
@login_required
def myappformmethod(request):
user = request.user
msg = 'hello '+user.username
the generated html file does not contain any direct information about the user which is logged, but it keeps the csrf token as a form field:
<form name="myform" action="/myapp/myappformmethod" method="post" onsubmit="prepare()">
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='NwKW2lFWSkkNEasdd3ExHe1l5ltzQi' /></div>
I would like to store some session-related data (e.g. favourite color) that will not be visible in html, but will be stored on server side and will be available using something like:
if request.favourite_color:
color = request.favourite_color
and not using
if request.POST.get('favourite_color'):
request.POST.get('favourite_color')
which is vulnerable to manual form element manipulation (if passed using form fields [type:hidden does not help, since you can edit them as well])
The aproriate approach would be adding field to request and producing something like "login" method mentioned earlier ... but how to do it?
Thanks!
960
asked Aug 28 '12 17:08
By default, Django saves session information in database (django_session table or collection), but you can configure the engine to store information using other ways like: in file or in cache. When session is enabled, every request (first argument of any view in Django) has a session (dict) attribute.
To delete a session or any particular key of that session, we can use del. The output will look like this and don't worry if your cookie didn't delete because we use this method only to delete your data in the Django database and not the session ID and cookie itself.
As you mentioned in your question, sessions in Django live for as long as SESSION_COOKIE_AGE determines (which defaults to 2 weeks) from the last time it was "accessed". Two exceptions for that: you can set an expiry time to a session yourself, and then it depends on that.
Sessions framework can be used to provide persistent behaviour for anonymous users in the website. Sessions are the mechanism used by Django for you store and retrieve data on a per-site-visitor basis. Django uses a cookie containing a special session id. INSTALLED_APPS has 'django.
The feature you're looking for is called "sessions" and is supported by Django directly:
https://docs.djangoproject.com/en/dev/topics/http/sessions/
... and here are two examples from that page:
request.session['fav_color'] = 'blue'
fav_color = request.session['fav_color']
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
