Django cookie free sessions optional decorator
Project description
Changelog
1.2 - 26th Oct 2019
Fix breach mitigation test for Python 3 [Ed Crewe]
Fix test settings to correct path [jonespm]
Fix content-length and decode [C.Severance]
1.1 - 1st May 2019
Rewrite for Python 3 and Django 2.2
Remove xteacrypt and use cryptography
[Ed Crewe]
1.0 - 24th February 2014
Test with latest Django 1.6.2
Enforce session keys as strings if the session fails to save Due to the move of the session serializer to JSON in Django 1.6
[Ed Crewe]
0.9 - 18th August 2013
Add protection against breach attack via nonce encryption http://breachattack.com/
Added related test
[Chris Bailey]
Remove line return at end of session id introduced by base64 encoding
[Ed Crewe]
0.8 - 4th January 2013
Clean up some pylint
Switch to base64 encoding to shorten encrypted session ids
0.7 - 18th December 2012
Add a cookieless_signal to allow custom code to be hooked to cookieless sessions
Pass a created flag for cookieless sessions to the signal
Add a no_cookies marker key to cookieless sessions for the same reason
Check automatic form rewrites to ensure that sessions are not already set manually
Fix tests check of hidden session_id broken by extra space in hidden field
Add post method for test class view so test posts don’t throw HttpResponseNotAllowed
Make the secret generated by settings options more unique
0.6 - 21st November 2012
Never use the cookie for session for decorated views since it may break sessions passed by cookieless means
0.5 - 14th November 2012
Only rewrite redirect URLs if USE_GET is True and its the same domain
0.4 - 9th November 2012
Fix issue of not having no_cookies to test in process_request by getting it from urlresolvers Now we only check for cookie session where we should, and cookies cannot mess with cookieless sessions
Make the deletion of any cookies that are passed on to the URL, an optional feature
Use settings.TESTING based on argv to disable, instead of check for servername
0.3 - 7th November 2012
Turn off cookieless for django test browser - since its hard coded to use dummy sessions if an alternative session provider is in use - otherwise cookieless could break other packages tests
Add server name switch to re-enable test browser for cookieless functional tests
Change anon user switch to be NO_COOKIE_PERSIST - ie. never use cookie originated sessions - move to process_response
Make session use cookieless post / get first over cookies, if present
Delete request cookies if found in response
Refactor settings to a dictionary
Add some tests
Move fix for non-unicode key to the decrypt method
[Ed Crewe]
0.2 - 6th November 2012
Add COOKIELESS_ANON_ONLY setting to not use cookieless if a user is authorised
Update example settings
Add test suite
Don’t assume request META keys exist so OK with test client etc.
Fix session decrypt with wrong secret - generates non-unicode key bug rather than new session
Add SPECIFIC_URL option for extra security for sessions
[Ed Crewe]
0.1 - 4th November 2012
Initial release
Django snippets - http://djangosnippets.org/snippets/1540/ Basis of middleware
Add simple crypt of sessionid when used in HTML
Call standard contrib.sessions.Session if not decorated as no_cookies
Add CSRF exempt decorator too to ensure cookie not set by that
Add templatetags for users who prefer manual adding of session ids
Add settings options to configure level of security applied, e.g. whitelist of referers, no URL rewriting etc.
[Ed Crewe, julio carlos and Ivscar (snippet), Paul Chakravarti (xteacrypt)]
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.