How can I pass some information to a view without including it in the URL (django newbie)

Question

I'm working on a little django app for reserving prints of paintings.

Customers go to this ordering page, fill out some information (name, email, dedication, etc), pick the print number they want to reserve, and click order. On clicking, I have my django code storing all the customer information in a new OrderInfo object, and it calls a HttpResponseRedirect to my thankyou page.

I'd like this thankyou page to contain some confirmation details contained in the OrderInfo (e.g. Thank you, {{name}}, for your order).

My first idea was to include the ID of the OrderInfo in the thankyou url but this will let anyone access the OrderInfo for any ID which doesn't sit well for privacy.

You can check out the demo here: link

Thanks in advance!

Answer 1

first, make sure that all the views that show something sensitive have the @login_required decorator and check that the request.user is in fact the one that has access to the requested info.

now, for your specific question, you can put the OrderInfo in the session dict. In fact, it might be convenient to copy the whole object there, not just the ID.

also, if you want to allow non-logged-in users to do all this, you still have to identify them somehow. again, the most obvious way is to heavily use the session to track the user.