set_test_cookie() on every page?

[Victor Hooi]

Hi,

I've read the Django docs on setting test cookies (https://docs.djangoproject.com/en/dev/topics/http/sessions/#setting-test-cookies), and I'm still a bit confused.

One of our views sets a session variable to remember the object a user is currently viewing (we figured it wasn't worth storing in the database for this).

Should I put set_test_cookie() on every view? That seems a bit silly/redundant.

However, if I only put it on the view that sets the session variable, doesn't that mean the user has to visit that page twice - once to set the cookie, and (since the if test will fail that first time) again to verify it was set? How will the user even know to do that?

Do people actually check for the test cookie these days, or do they just assume it's set?

But then if we call delete_test_cookie(), doesn't that mean we have to set it all over again if the user needs to sets thesession variable again? Or should we not call delete_test_cookie()

Cheers,

Victor

[John]

While this is not directly your question, if you want to do something
on literally every view, the easiest way to do it would most likely be
to add a custom middleware with a process_request or process_response
method.

More to the point, you should not call set_test_cookie on every view -
in the example on the Django docs, the view calls set_test_cookie()
then checks for success only if the request method is POST, and if it
worked, the logic is short-circuited by a return. So effectively, the
workflow for that page goes like this:

-user requests login page with method GET
-set_test_cookie is called on view
-user receives page and Set-Cookie header
-user logs in, sending form data with POST
-view sees user requesting with POST and checks for existence of
cookie
-if it fails, it tells the user to enable cookies.
-otherwise, user is logged in (and the cookie should have been
deleted, but it's not a major problem)

As the user should request the page normally (a GET) before they log
in (a POST), you should be able to detect whether they have cookies
enabled. There is a weakness in this logic - if the user POSTs
directly to the page, they may not have the test cookie set, but even
if you call set_test_cookie on every view, this won't close that.

On Sep 29, 8:49 pm, Victor Hooi <victorh...@gmail.com> wrote:
> Hi,
>
> I've read the Django docs on setting test cookies

> (https://docs.djangoproject.com/en/dev/topics/http/sessions/#setting-t...),

[Victor Hooi]

heya,

John - thanks for the reply.

In this case, it's an JQuery .post() call linked to a dropdown menu (https://groups.google.com/d/topic/django-users/tw0lM-QkdGw/discussion).

The dropdown is a common navigation element on every page. It's used to set a session variable that stores which object a user is working on at the 

moment (see attached screenshot).

In my webpage:

  $('#dropdown_choice').click(function() {

        $.post("/set_conference", {"current_conference": "conference_name"}, function(data) {alert(data)});

    });

Then in my view:

# TODO: Set test cookies (although if we're logged in, we can assume cookies works)

def set_current_conference(request):

    if not request.is_ajax() or not request.method == 'POST':

        return HttpResponseNotAllowed(['POST'])
    request.session['current_conference'] = request.POST.get("current_conference")
    return HttpResponse('Set current_conference to ' + str(request.POST.get("current_conference")))

 

So it seems I would need to put the set_test_cookie() logic on every page, since they could make this call from any page with the dropdown. Or is there another way?

How would people normally handle having an AJAX POST call like this to set a session variable?

Or should I just (dangerously) assume that cookies will work automatically? Alternative?

Cheers,

Victor