Opened 10 years ago

Closed 9 years ago

#3285 closed enhancement (wontfix)

Signed cookies

Reported by: Marty Alchin (Gulopine) <gulopine@…> Owned by: nobody
Component: Contrib apps Version:
Severity: normal Keywords: signed cookies
Cc: jdunck@…, gary.wilson@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In response to some discussion on Chapter 20 of the Django book, and Jacob's suggestion on django-users (here), this is a proposal for a contrib app (tentatively called django.contrib.signed_cookies) to implement signed cookies throughout a Django project.

The only setting necessary to activate it is the inclusion of the middleware class to MIDDLEWARE_CLASSES, as it uses the existing SECRET_KEY setting to help generate the signature used to authenticate the cookies. Its position in MIDDLEWARE_CLASSES matters, as it transparently handles the signature encryption, validation and signature removal, so that other middlewares and views don't need to have any knowledge of its presence.

  • Each new cookie's name and value is taken along with the site's SECRET_KEY to generate a digest signature
  • The signature is then prepended to the cookie's value.
  • When a request comes in, it then recalculates the digest and validates it against the signature it contains.
  • If the cookie doesn't contain a signature, or if it fails to validate, the cookie is removed from request.COOKIES.
    • In this case, the view would usually reset the cookie, at which point it would be signed properly.
  • If all succeeds, the signature is removed from the cookie's value in request.COOKIES.

Currently it uses MD5, but could easily be adapted to use a setting that would control which digest utility is used to generate the signature.

Attachments (4)

middleware.py (1.3 KB) - added by Marty Alchin <gulopine@…> 10 years ago.
The only file necessary to make it work
tests.py (1.9 KB) - added by Marty Alchin <gulopine@…> 10 years ago.
complete unit test suite
signedcookies.diff (11.2 KB) - added by Marty Alchin <gulopine@…> 10 years ago.
A more complete patch, including documentation
signedcookies.2.diff (11.8 KB) - added by Marty Alchin <gulopine@…> 10 years ago.
Complete patch again, with corrected documentation

Download all attachments as: .zip

Change History (16)

Changed 10 years ago by Marty Alchin <gulopine@…>

Attachment: middleware.py added

The only file necessary to make it work

comment:1 Changed 10 years ago by Chris Beaven

Triage Stage: UnreviewedDesign decision needed

Looks good, Marty! Is there a way to write some tests for this middleware?

I'm going to mark this as "decision needed" and let the core decide on whether this is viable.

comment:2 Changed 10 years ago by Marty Alchin <gulopine@…>

Tests for it should be fairly straightforward, I'll get to work on them this weekend.

Changed 10 years ago by Marty Alchin <gulopine@…>

Attachment: tests.py added

complete unit test suite

comment:3 Changed 10 years ago by Marty Alchin <gulopine@…>

Not that it should matter, but test_delete_cookie in the provided test suite fails in Django 0.95, due to #2503. However, since delete_cookie is only called in the test suite, the middleware itself functions propertly, even in 0.95.

comment:4 Changed 10 years ago by sh_samira95@…

Resolution: invalid
Status: newclosed

Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close.
Thanks a lot

comment:5 Changed 10 years ago by anonymous

Resolution: invalid
Status: closedreopened

comment:6 Changed 10 years ago by sh_samira95@…

Resolution: invalid
Status: reopenedclosed

Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript? events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close. Thanks a lot

comment:7 Changed 10 years ago by Michael Radziej <mir@…>

Resolution: invalid
Status: closedreopened

Please go to the django-users mailing list for user support. Tickets are for bug reports and enhancement requests.

comment:8 Changed 10 years ago by anonymous

Cc: jdunck@… added

comment:9 Changed 10 years ago by Gary Wilson <gary.wilson@…>

Cc: gary.wilson@… added

Changed 10 years ago by Marty Alchin <gulopine@…>

Attachment: signedcookies.diff added

A more complete patch, including documentation

comment:10 Changed 10 years ago by Marty Alchin <gulopine@…>

Keywords: signed cookies added
Summary: [patch] django.contrib.signed_cookies proposalSigned cookies

This new unified diff includes non-middleware cookie signing, proper tests and full documentation.

Changed 10 years ago by Marty Alchin <gulopine@…>

Attachment: signedcookies.2.diff added

Complete patch again, with corrected documentation

comment:11 Changed 9 years ago by Marty Alchin <gulopine@…>

I've created a Google Code project for this, as recommended by django-developers.

comment:12 Changed 9 years ago by Jacob

Resolution: wontfix
Status: reopenedclosed

Closing this in favor of Marty's exernal project.

Note: See TracTickets for help on using tickets.
Back to Top