This may sound too easy to understand but I am not sure I am having my head around it.
When a user is signing up in the first page of my app, I have request.session['user_id'] set which is used in page two of the sign up to complete registration. The user_id is the primary key to user in USER TABLE but I don't want to store user_id in session. I fear it might be tampered with and the WRONG row might get updated.
I would want something like a token that would be generated by my script but Django's SESSION TABLE only has three columns (session_key, session_data, expire_date) and it saves session details to it automatically.
My questions precisely are:
Can I tinker with the SESSION TABLE and add a session_token to it or I have to create my own table?
How do I get the session_token to automatically save like other columns in Django SESSION TABLE?
Or is `request.session['user_id'] okay and safe?
Do all these also apply to COOKIES and why do I need to use cookies when SESSION_EXPIRE_AT_BROWSER_CLOSE is set to FALSE?
The session is stored in the database, not in the user's cookie. There is no way for the user to change that data. The only thing stored in the cookie is the hash of the session ID itself.
Related
I am currently writing an application in Django and I am looking at storing specific permission information during a user's session. The permissions are made up of the following values:
No Permissions - 0
Read Only - 1
Edit - 2
Add and Edit - 3
Full Permission - 4
The higher the value, the better the permission a user has. If a user has only "Edit" permission for the module "Projects", I want to store that somewhere so I don't have to get Django to query the database constantly. Would it be appropriate to use the following;
request.session['project_permission'] = '2'
Or would the user be able to edit this value and sneak in a higher number like 3 or 4?
Assuming you are using Django's default sessions model backend, the user will not be able to edit any session related data.
The only information that is stored on the client side is the sessionid (in a cookie) which is the primary key to the Django Sessions table.
Django sessions table also has a column called "session_data" which stores the hashed session data (which the user will not have access to, unless they have access to your db)
I do not recommend storing permissions in sessions, there are better ways to implement this.
Additionally, sessions (default django sessions model backend) data is stored in the database, so indirectly queries are being made
I am currently developing guest checkout in django as I don't want to use django-oscar which gives guest checkout functionality. I searched and got to the conclusion that it can be done through session and got to know that when user logs in the system at that time row will be created in django_session table. So I will have to create manual entry in django_session for my guest checkout. Can anyone please throw some light on how and which will be the best way to do it?
The easiest way it would be to set request.session['user'] to some default value (e.g. guest) by default (you can do
try:
request.session['user']
except KeyError:
request.session['user'] = 'guest'
at the start of every view function (pr functions that can be accessible directly by typing some URL. That's what I've always done and it makes miracles ;). What it actually does is checks whether a user is logged in (request.session has the key user) or not (request.session does not have the key user). When user logs in, set request.session['user'] to his username.
You don't want to touch the django_session table yourself.
Instead, please read
a tutorial about the session framework, or
the more in-depth documentation
The gist of it is that you can store things in the session dict using
request.session['foo'] = True
and they will be transparently persisted using a cookie. You can retrieve them similarly.
How and when exactly does last_activity in Django sessions get updated? I've been testing a Django app, and my last activity in user sessions is logged as several days ago, even though I logged in yesterday as well. What could be going on?
That's a direct result of when sessions are saved
By default, Django only saves to the session database when the session
has been modified – that is if any of its dictionary values have been
assigned or deleted:
If you want to mark a user as being active, you can place the following code in key areas of your app to mark the session as being modified so that it will be saved again in the storage
request.session.modified = True
Alternatively you can use SESSION_SAVE_EVERY_REQUEST to make sure that the session gets saved on each and every request this of course comes with an extra hit to the db.
According to the Django documentation, the HttpRequest object has a "user" attribute that represents the currently logged in user if the Django installation has activated AuthenticationMiddleware. How does the request object know what the user is? Does the middleware set the user in a cookie and save that cookie to the client browser after the user logs in? In my code, I save the user's ID (from the auth_user table) to a session variable after they've logged in and I usually examine it on each page. If this information is always available in the request object, I shouldn't need to do this. All I should need to do is examine request.user.id. Is this correct?
Thanks.
Yes you've got it, except the user data is stored in the session. You're doing redundant work by keeping track off all that yourself - this something Django is great at!
Check out this documentation on user objects
.. and this article on all of it specifically.
User id is stored not in the cookie but in the session.
And yes, you shouldn't save this data in the session by yourself:
if request.user.is_authenticated():
user_id = request.user.id
If the view should be available for logged users only then instead of checking of request.user.is_authenticated() use the #login_required decorator.
I need some advice / ideas if someone is inclined to help: I have a javascript interface for manipulating pictures. Basically it's about moving photos around. Once it's done the position of images is saved into a Django form and then saved to database with the owner saved as the current user. Now the trick is that I would like to be able to allow non registered users to play with this interface and then if they like the result they hit save and are redirected to an account registration page and only then the form is actually saved with their user as the owner.
What comes to my mind now is to keep the values of the form in session but I don't know what will happen to the session once the anonymous user registers and becomes another user. I was also thinking of using a 'next' parameter in the registration process with the url filled with get parameters that would be the content of the form but then I don't know if userena is ready to allow that.
Any light on this is welcome.
Well, we did similar thing on our site.
When unregistered user attach photos we save objects to database and assign unique hash which was generated when user came to the page with form. When user hit submit we pass this hash in url and on the next step, when user wants to register, we just get objects from database by this hash and assign user_id to them.
Also we have a cron job which do clean up and removes all lost objects
P.S. Sorry for my english i hope you'll get my point
Save the object without the user and store a reference of that object in the session (or (signed) cookie). If if the user registers, update all the objects with the newly created user.
Another approach would be to store the data in the browser (html5 localstorage and fallbacks, or similar) and only insert it into the database once the user has signed up. You would need to make sure both things happen inside the same browser 'instance', but things would be easier in the server side.