/django-session-header

cookieless sessions for Django

Primary LanguagePython

Django Session Header: Identify the session through a header

There are some situations where the browser may not allow any cookies at all to be used. In those cases, we would like to be able to fall back to something that is both secure, and capable. This package allows you to manually pass the sessionid using a header, so that you can continue to use Django's excellent session management.

It extends Django's built-in sessions to support sessions in places where cookies are not allowed. For most views, the handling will be seamless. Those that need to have sessions that persist despite the absence of cookies, there are a few extra features.

Usage

First, install the package.

pip install django-session-header

Replace django.contrib.sessions.middleware.SessionMiddleware in your settings.py with the following:

MIDDLEWARE_CLASSES = [
   # ...
   # 'django.contrib.session.middleware.SessionMiddleware',
   'session_header.middleware.SessionMiddleware',
]

And replace the Django Rest Framework SessionAuthentication class with session_header.authentication.SessionAuthentication:

REST_FRAMEWORK = {
    'DEFAUlT_AUTHENTICATION_CLASSES': [
        # ...
        # 'rest_framework.authentication.SessionAuthentication',
        'session_header.authentication.SessionAuthentication',
    ]
}

If a session was obtained via a session header, then request.session.csrf_exempt will be True. You can use this to conditionally apply CSRF protection. Or, if you prefer, you can replace Django's normal CSRF middleware with session_header.middleware.CsrfViewMiddleware:

MIDDLEWARE_CLASSES = [
    # ...
    # 'django.middleware.csrf.CsrfViewMiddleware',
    'session_header.middleware.CsrfViewMiddleware',
]

The sessionid will be available in the X-SessionID response header, and you can now set the X-SessionID header on the request manually to avoid needing cookies to power your sessions.