tags:

views:

79

answers:

3
Q: 

Cookieless Django for government site

As I'm writing a django site from government bodies I'm not going to be able to use cookies. I found this snippet http://djangosnippets.org/snippets/1540/ but it's currently not allowing users to login. Before I start debugging I wondered if anyone else has solved this problem with this snippet or in any other way?

UPDATE

The ONLY answer seems to be the middleware/session in URL route but this becomes and even worse solution if you have a site which has a public section and a private section accessible when logged in. The route we have decided to go is to 'follow' the guidelines:

  1. The content and purpose of any cookie that is delivered by your website should always be communicated to the user.
  2. Users should have the ability to refuse a cookie without it affecting the basic usability of your website.
  3. Your website should notify your users if technical features of your site will be degraded as a result of their declining to accept cookies from it.

Our definition of basic is all the stuff that you can see without logging in. Let's hope that will sway them. This guideline dates back to 2002 and does not cater for modern web apps. Fingers crossed...

Thanks for everyones contributions.

+1  A: 

While you can use django without cookies, in millions of ways, all of which would assume you don't need to track session data. Keeping session data by means of cookies is probably the most reliable and secure way, both for the users and for you. The alternatives are appending session IDs to the end of urls (which potentially exposes those session ids to outside servers via the referrer header) and tracking ip which just won't work, except in the event that only one user would come from one IP at a time and you know the IPs of all the users and they would rarely change, I can't imagine something like that implemented in a web application in 2010.

Vasil  2010-06-08 00:07:06
A: 

You could key the data to the REMOTE_USER request header passed to the application (if it exists), but this would require both custom middleware and auth configuration in the web server to work fully.

Ignacio Vazquez-Abrams  2010-06-08 00:11:44
A: 

You can use HTTP Authentication (either Basic, or Digest). Most web browsers allow for storing these credentials, or having them expire when a browsing session is finished. The admin doesn't care how the authentication is done, so you can have sessions not even enabled.

Note that with HTTP Basic auth, you'll need to be serving under https, as the header is essentially cleartext containing the username and password.

Matthew Schinckel  2010-06-08 12:59:15

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security