Stateless sessions almost here

38 views
Skip to first unread message

Brian Beck

unread,
Jan 11, 2007, 12:08:10 AM1/11/07
to Django developers
Hey,

So I'm working on a stateless sessions app that people will be able to
swap with django.contrib.sessions in their settings if they need that
(a recent post mentioned mobile phone browsers for example, apparently
they don't support cookies?). I don't actually care that much but I
thought it would be a fun hack.

Anyway it's almost done, but I need help figuring out one thing.

There are two modes supported. In one it adds the session key to the
beginning of all your URLs when needed, like so:
/session/abcdef123/normal/site/path

This is pretty flexible since people are used to mounting sites at
non-root URLs, plus you don't have to manipulate query parameter
strings which is a pain.

The other is to put it in a query parameter like so:
/normal/site/path/?session=abcdef123.

The app includes all kinds of stuff for making this as easy to deal
with as possible. For security it includes a user-overridable
request-fingerprint function that forces the request into a new session
if it suspects a hijack attempt.

Thing I need help with: the query parameters mode *almost* works in the
admin interface, but it seems that when browsing models, any extraneous
GET parameters trigger the error flag, which makes the page say there's
a possible database error. What's up with that? The thing is I can't
find the code in the admin app that actually does this check. I see
where it renders invalid_setup.html, but not where it's noticing my
extra GET parameter... or is something else happening? Any ideas?

--
Brian Beck
Adventurer of the First Order

Nicola Larosa (tekNico)

unread,
Jan 11, 2007, 2:01:02 AM1/11/07
to Django developers
Brian Beck wrote:
> So I'm working on a stateless sessions app that people will be able to
> swap with django.contrib.sessions in their settings if they need that
> (a recent post mentioned mobile phone browsers for example, apparently
> they don't support cookies?). I don't actually care that much but I
> thought it would be a fun hack.

"Stateless session" is an oxymoron, there's no such thing. You're
talking about *cookieless* sessions.

Yes, REST-purist speaking here.


--
Nicola Larosa - http://www.tekNico.net/

In the developed world, we do not have a shortage of IPv4 addresses at
this time. [...] In the developing world the situation is already dire.
In some places, entire universities are hidden behind a single routable
IPv4 address, and in others, NAT's are as much as 5 levels deep.
-- Jim Gettys, June 2006

Brian Beck

unread,
Jan 11, 2007, 3:07:49 AM1/11/07
to Django developers
Nicola Larosa (tekNico) wrote:
> "Stateless session" is an oxymoron, there's no such thing. You're
> talking about *cookieless* sessions.

Of course :) I was using them synonymously, i.e. the *browser* has no
means of storing state.

Reply all
Reply to author
Forward
0 new messages