Django

Code

Ticket #3285 (closed: wontfix)

Opened 2 years ago

Last modified 2 years ago

Signed cookies

Reported by: Marty Alchin (Gulopine) <gulopine@gamemusic.org> Assigned to: nobody
Milestone: Component: Contrib apps
Version: Keywords: signed cookies
Cc: jdunck@gmail.com, gary.wilson@gmail.com Triage Stage: Design decision needed
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

In response to some discussion on Chapter 20 of the Django book, and Jacob's suggestion on django-users (here), this is a proposal for a contrib app (tentatively called django.contrib.signed_cookies) to implement signed cookies throughout a Django project.

The only setting necessary to activate it is the inclusion of the middleware class to MIDDLEWARE_CLASSES, as it uses the existing SECRET_KEY setting to help generate the signature used to authenticate the cookies. Its position in MIDDLEWARE_CLASSES matters, as it transparently handles the signature encryption, validation and signature removal, so that other middlewares and views don't need to have any knowledge of its presence.

  • Each new cookie's name and value is taken along with the site's SECRET_KEY to generate a digest signature
  • The signature is then prepended to the cookie's value.
  • When a request comes in, it then recalculates the digest and validates it against the signature it contains.
  • If the cookie doesn't contain a signature, or if it fails to validate, the cookie is removed from request.COOKIES.
    • In this case, the view would usually reset the cookie, at which point it would be signed properly.
  • If all succeeds, the signature is removed from the cookie's value in request.COOKIES.

Currently it uses MD5, but could easily be adapted to use a setting that would control which digest utility is used to generate the signature.

Attachments

middleware.py (1.3 kB) - added by Marty Alchin <gulopine@gamemusic.org> on 01/11/07 13:10:15.
The only file necessary to make it work
tests.py (1.9 kB) - added by Marty Alchin <gulopine@gamemusic.org> on 01/29/07 11:30:27.
complete unit test suite
signedcookies.diff (11.2 kB) - added by Marty Alchin <gulopine@gamemusic.org> on 05/08/07 22:14:49.
A more complete patch, including documentation
signedcookies.2.diff (11.8 kB) - added by Marty Alchin <gulopine@gamemusic.org> on 05/09/07 06:04:43.
Complete patch again, with corrected documentation

Change History

01/11/07 13:10:15 changed by Marty Alchin <gulopine@gamemusic.org>

  • attachment middleware.py added.

The only file necessary to make it work

01/18/07 14:50:06 changed by SmileyChris

  • stage changed from Unreviewed to Design decision needed.

Looks good, Marty! Is there a way to write some tests for this middleware?

I'm going to mark this as "decision needed" and let the core decide on whether this is viable.

01/19/07 15:31:32 changed by Marty Alchin <gulopine@gamemusic.org>

Tests for it should be fairly straightforward, I'll get to work on them this weekend.

01/29/07 11:30:27 changed by Marty Alchin <gulopine@gamemusic.org>

  • attachment tests.py added.

complete unit test suite

01/29/07 11:35:11 changed by Marty Alchin <gulopine@gamemusic.org>

Not that it should matter, but test_delete_cookie in the provided test suite fails in Django 0.95, due to #2503. However, since delete_cookie is only called in the test suite, the middleware itself functions propertly, even in 0.95.

02/12/07 01:22:57 changed by sh_samira95@yahoo.com

  • status changed from new to closed.
  • resolution set to invalid.

Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript? events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close. Thanks a lot

02/12/07 01:26:17 changed by anonymous

  • status changed from closed to reopened.
  • resolution deleted.

02/12/07 01:27:02 changed by sh_samira95@yahoo.com

  • status changed from reopened to closed.
  • resolution set to invalid.

Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript?? events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close. Thanks a lot

02/12/07 01:57:46 changed by Michael Radziej <mir@noris.de>

  • status changed from closed to reopened.
  • resolution deleted.

Please go to the django-users mailing list for user support. Tickets are for bug reports and enhancement requests.

03/09/07 08:59:18 changed by anonymous

  • cc set to jdunck@gmail.com.

03/26/07 13:27:15 changed by Gary Wilson <gary.wilson@gmail.com>

  • cc changed from jdunck@gmail.com to jdunck@gmail.com, gary.wilson@gmail.com.

05/08/07 22:14:49 changed by Marty Alchin <gulopine@gamemusic.org>

  • attachment signedcookies.diff added.

A more complete patch, including documentation

05/08/07 22:16:11 changed by Marty Alchin <gulopine@gamemusic.org>

  • keywords set to signed cookies.
  • summary changed from [patch] django.contrib.signed_cookies proposal to Signed cookies.

This new unified diff includes non-middleware cookie signing, proper tests and full documentation.

05/09/07 06:04:43 changed by Marty Alchin <gulopine@gamemusic.org>

  • attachment signedcookies.2.diff added.

Complete patch again, with corrected documentation

06/16/07 21:19:40 changed by Marty Alchin <gulopine@gamemusic.org>

I've created a Google Code project for this, as recommended by django-developers.

12/02/07 14:09:08 changed by jacob

  • status changed from reopened to closed.
  • resolution set to wontfix.

Closing this in favor of Marty's exernal project.

Add/Change #3285 (Signed cookies)




Change Properties
Action