Opened 18 years ago
Closed 17 years ago
#3285 closed enhancement (wontfix)
Signed cookies
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Contrib apps | Version: | |
| Severity: | normal | Keywords: | signed cookies |
| Cc: | jdunck@…, gary.wilson@… | Triage Stage: | Design decision needed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In response to some discussion on Chapter 20 of the Django book, and Jacob's suggestion on django-users (here), this is a proposal for a contrib app (tentatively called django.contrib.signed_cookies) to implement signed cookies throughout a Django project.
The only setting necessary to activate it is the inclusion of the middleware class to MIDDLEWARE_CLASSES, as it uses the existing SECRET_KEY setting to help generate the signature used to authenticate the cookies. Its position in MIDDLEWARE_CLASSES matters, as it transparently handles the signature encryption, validation and signature removal, so that other middlewares and views don't need to have any knowledge of its presence.
- Each new cookie's name and value is taken along with the site's
SECRET_KEYto generate a digest signature - The signature is then prepended to the cookie's value.
- When a request comes in, it then recalculates the digest and validates it against the signature it contains.
- If the cookie doesn't contain a signature, or if it fails to validate, the cookie is removed from
request.COOKIES.- In this case, the view would usually reset the cookie, at which point it would be signed properly.
- If all succeeds, the signature is removed from the cookie's value in
request.COOKIES.
Currently it uses MD5, but could easily be adapted to use a setting that would control which digest utility is used to generate the signature.
Attachments (4)
Change History (16)
by , 18 years ago
| Attachment: | middleware.py added |
|---|
comment:1 by , 18 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
Looks good, Marty! Is there a way to write some tests for this middleware?
I'm going to mark this as "decision needed" and let the core decide on whether this is viable.
comment:2 by , 18 years ago
Tests for it should be fairly straightforward, I'll get to work on them this weekend.
comment:3 by , 18 years ago
Not that it should matter, but test_delete_cookie in the provided test suite fails in Django 0.95, due to #2503. However, since delete_cookie is only called in the test suite, the middleware itself functions propertly, even in 0.95.
comment:4 by , 18 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close.
Thanks a lot
comment:5 by , 18 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
comment:6 by , 18 years ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript? events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close. Thanks a lot
comment:7 by , 18 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Please go to the django-users mailing list for user support. Tickets are for bug reports and enhancement requests.
comment:8 by , 18 years ago
| Cc: | added |
|---|
comment:9 by , 18 years ago
| Cc: | added |
|---|
by , 18 years ago
| Attachment: | signedcookies.diff added |
|---|
A more complete patch, including documentation
comment:10 by , 18 years ago
| Keywords: | signed cookies added |
|---|---|
| Summary: | [patch] django.contrib.signed_cookies proposal → Signed cookies |
This new unified diff includes non-middleware cookie signing, proper tests and full documentation.
by , 18 years ago
| Attachment: | signedcookies.2.diff added |
|---|
Complete patch again, with corrected documentation
comment:11 by , 17 years ago
I've created a Google Code project for this, as recommended by django-developers.
comment:12 by , 17 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
Closing this in favor of Marty's exernal project.
The only file necessary to make it work