django-cookieless: Django cookie free sessions optional decorator

Ed T Crewe

Research output: Non-textual formSoftware


This package provides a sessions implementation and decorator class for views to allow for forms to maintain state without using cookies by posting the session id between forms, or via urls.

Django requires cookies to maintain session, and hence for authorisation.

This package is designed to cater for anonymous user session maintenance, without cookies.

WARNING : There are security issues with this, since it is not possible to use CSRF protection without session Cookies to maintain a separate token from that passed via the URL or form posts.

However there are cases when forms are used on a public site, where setting cookies is not desirable (due to privacy legislation), since technically they are not required for anonymous users to respond to forms. So if used, may necessitate requesting permission to set cookies, from the user.

Hence this package was devised to allow django to deliver multipage forms, without using cookies.

To ameliorate the security implications, a whitelist of allowed domains, can be set in the configuration.

Usage can also be restricted to a particular URL.

As another safety measure, handling of GET requests can be turned off, so that the encrypted session id is not present in any URLs.

Please NOTE: It is not advisable to use this package without some form of the above restrictions being in place.

The package provides a decorator utility to turn off cookie setting for particular views (which also sets the csrf_exempt flag).

The package also handles the case of session handling for anonymous users with cookies disabled in the browser.

You can decorate views to prevent them setting cookies, whilst still retaining the use of Sessions. Usually this is easiest done in the of your core application ...

from cookieless.decorators import no_cookies

>>> urlpatterns = patterns('',
... url(r'^view_function/(\d{1,6})$', no_cookies(view_function)),
... url(r'^view_class/(\d{1,6})$', no_cookies(ViewClass.as_view())),
Note that if a number of browser tabs are open on to a site with cookieless, they will each maintain a completely separate session, since without cookies the session is tied to the session posted from the pages accessed, not the client as a whole.

In cases where this is not the desired behaviour, then it can be reduced by using URL rewriting to make any links to open other windows pass session across. However of course this also means that potentially a session can be shared across browsers, too.
Original languageEnglish
PublisherPython Package Index -
Publication statusPublished - 14 Nov 2012

Fingerprint Dive into the research topics of 'django-cookieless: Django cookie free sessions optional decorator'. Together they form a unique fingerprint.

Cite this