A secure way to hold Django session data in cookies
This package contains a drop-in replacement middleware for django.contrib.sessions.middleware.SessionMiddleware to store all session data in a browser cookie instead of the database. The code is based on a snippet from Christopher Lenz.
To prevent user tampering the session dictionary goes through the following encoding steps:
The session dictionary is converted into JSON
A SHA1 hash is made with the JSON and the site’s SECRET_KEY
The JSON and SHA1 hash are concatenated, gzipped and base64 encoded.
The cookie is base64 decoded and ungzipped
The data is split into the SHA1 hash and the JSON data
The SHA1 hash is regenerated from the received JSON data and the site’s SECRET_KEY
If the hashes don’t match, a SuspiciousOperation exception is raised. If the hashes match, the JSON data is converted into a python object and returned.
Place the cookiesession app into your INSTALLED_APPS. Next, put the cookiesession.middleware.CookieSessionMiddleware middleware into your MIDDLEWARE_CLASSES. This middleware is designed as a replacement to django.contrib.sessions.middleware.SessionMiddleware
Two management commands are included to make debugging things easier.
Called as ./manage.py decode_session_cookie <session_cookie_string> and prints the keys and values of the session dictionary.
Encodes key=val arguments into a cookie for manual insertion into your browser for testing purposes. You must call the command as ./manage.py encode_cookie key1=value key2=value. Prints out the encoded cookie string
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for django-cookiesession-0.1.1.tar.gz