Opened 9 years ago

Closed 8 years ago

#3285 closed enhancement (wontfix)

Signed cookies

Reported by: Marty Alchin (Gulopine) <gulopine@…> Owned by: nobody
Component: Contrib apps Version:
Severity: normal Keywords: signed cookies
Cc: jdunck@…, gary.wilson@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In response to some discussion on Chapter 20 of the Django book, and Jacob's suggestion on django-users (here), this is a proposal for a contrib app (tentatively called django.contrib.signed_cookies) to implement signed cookies throughout a Django project.

The only setting necessary to activate it is the inclusion of the middleware class to MIDDLEWARE_CLASSES, as it uses the existing SECRET_KEY setting to help generate the signature used to authenticate the cookies. Its position in MIDDLEWARE_CLASSES matters, as it transparently handles the signature encryption, validation and signature removal, so that other middlewares and views don't need to have any knowledge of its presence.

  • Each new cookie's name and value is taken along with the site's SECRET_KEY to generate a digest signature
  • The signature is then prepended to the cookie's value.
  • When a request comes in, it then recalculates the digest and validates it against the signature it contains.
  • If the cookie doesn't contain a signature, or if it fails to validate, the cookie is removed from request.COOKIES.
    • In this case, the view would usually reset the cookie, at which point it would be signed properly.
  • If all succeeds, the signature is removed from the cookie's value in request.COOKIES.

Currently it uses MD5, but could easily be adapted to use a setting that would control which digest utility is used to generate the signature.

Attachments (4)

middleware.py (1.3 KB) - added by Marty Alchin <gulopine@…> 9 years ago.
The only file necessary to make it work
tests.py (1.9 KB) - added by Marty Alchin <gulopine@…> 9 years ago.
complete unit test suite
signedcookies.diff (11.2 KB) - added by Marty Alchin <gulopine@…> 8 years ago.
A more complete patch, including documentation
signedcookies.2.diff (11.8 KB) - added by Marty Alchin <gulopine@…> 8 years ago.
Complete patch again, with corrected documentation

Download all attachments as: .zip

Change History (16)

Changed 9 years ago by Marty Alchin <gulopine@…>

The only file necessary to make it work

comment:1 Changed 9 years ago by SmileyChris

  • Triage Stage changed from Unreviewed to Design decision needed

Looks good, Marty! Is there a way to write some tests for this middleware?

I'm going to mark this as "decision needed" and let the core decide on whether this is viable.

comment:2 Changed 9 years ago by Marty Alchin <gulopine@…>

Tests for it should be fairly straightforward, I'll get to work on them this weekend.

Changed 9 years ago by Marty Alchin <gulopine@…>

complete unit test suite

comment:3 Changed 9 years ago by Marty Alchin <gulopine@…>

Not that it should matter, but test_delete_cookie in the provided test suite fails in Django 0.95, due to #2503. However, since delete_cookie is only called in the test suite, the middleware itself functions propertly, even in 0.95.

comment:4 Changed 9 years ago by sh_samira95@…

  • Resolution set to invalid
  • Status changed from new to closed

Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close.
Thanks a lot

comment:5 Changed 9 years ago by anonymous

  • Resolution invalid deleted
  • Status changed from closed to reopened

comment:6 Changed 9 years ago by sh_samira95@…

  • Resolution set to invalid
  • Status changed from reopened to closed

Can anybody help me? I have problem by cookies. I want to have two kind of cookie: permanent and temporary. Temporary cookie should be deleted when browser close. I don't want to use "SESSION_EXPIRE_AT_BROWSER_CLOSE" because that will delete all part of cookies but I want to temporary part to delete. Can you know how I shall do that? Can I have two sessions in my code or any event for closing browser exists? I can't use "unload" JavaScript? events because that is call when URL is change, in my test the URL will be change page by page, I want to delete temporary cookie whenever browser close. Thanks a lot

comment:7 Changed 9 years ago by Michael Radziej <mir@…>

  • Resolution invalid deleted
  • Status changed from closed to reopened

Please go to the django-users mailing list for user support. Tickets are for bug reports and enhancement requests.

comment:8 Changed 8 years ago by anonymous

  • Cc jdunck@… added

comment:9 Changed 8 years ago by Gary Wilson <gary.wilson@…>

  • Cc gary.wilson@… added

Changed 8 years ago by Marty Alchin <gulopine@…>

A more complete patch, including documentation

comment:10 Changed 8 years ago by Marty Alchin <gulopine@…>

  • Keywords signed cookies added
  • Summary changed from [patch] django.contrib.signed_cookies proposal to Signed cookies

This new unified diff includes non-middleware cookie signing, proper tests and full documentation.

Changed 8 years ago by Marty Alchin <gulopine@…>

Complete patch again, with corrected documentation

comment:11 Changed 8 years ago by Marty Alchin <gulopine@…>

I've created a Google Code project for this, as recommended by django-developers.

comment:12 Changed 8 years ago by jacob

  • Resolution set to wontfix
  • Status changed from reopened to closed

Closing this in favor of Marty's exernal project.

Note: See TracTickets for help on using tickets.
Back to Top