id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
25392	Allow contrib.auth to work without sessions	Roman Odaisky	nobody	"Currently, the authentication middleware requires the session middleware, while in many cases, particularly when building an API-only backend, sessions are completely unnecessary, and what’s worse, they cause a write query during handling of otherwise read-only requests.

Instead, the authentication system should permit operation without sessions altogether:
1. If sessions are unavailable, request.user should stay AnonymousUser until user calls auth.login.
2. If sessions are unavailable, auth.login should be fine not saving anything to sessions.

Additionally, in cases both a traditional Web interface and an API (where authentication is handled by keys in HTTP headers or request parameters) are present, it would be useful to be able to turn the session mechanism on an off (or rather, to instruct the authentication mechanism not to touch sessions) on per-request basis.

Additionally, when sessions are, in fact, made use of, they should not perform write queries until something is actually saved into a session, for performance reasons."	New feature	closed	contrib.auth	dev	Normal	needsinfo			Unreviewed	0	0	0	0	0	0