Menu
Starting a with Django 1.4, we now get free cryptographic signing if we use the cookie-based backend for session storage, which is great. However, what if I want to store potentially sensitive information in the session? Ideally, I would encrypt it as well.
Here is a real use case: I want to store a temporary token in the session that allows me to issues requests against another service (this token expires after an hour of inactivity). Without encryption, anyone could get this token and issue the requests themselves, which I'd like to avoid.
I realize I can just encrypt/decrypt myself when I put it into the session, but I was wondering if there was a way to do this automatically for the cookie-based session storage. Does anyone have any ideas?
259
You should inherit signed session store and make it use your versions of singing.dumps and signing.loads which will, for example, encrypt pickled string with any necesssary algo (and decrypt it before de-pickling).
56
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
