Re: Avoiding Sessions

On Wed, Mar 27, 2013 at 1:35 PM, Venkatraman S <venkat83@gmail.com> wrote:
> So, if i am right, usage of sessions makes an extra call to the DB for every
> view with login_required.
>
> SELECT "auth_user"."id", "auth_user"."password", "auth_user"."last_login",
> "auth_user"."is_superuser", "auth_user"."username",
> "auth_user"."first_name", "auth_user"."last_name", "auth_user"."email",
> "auth_user"."is_staff", "auth_user"."is_active", "auth_user"."date_joined"
> FROM "auth_user" WHERE "auth_user"."id" = 3
>
> ..app\debug_toolbar\utils\tracking/db.py in execute(118)
> stacktrace = tidy_stacktrace(reversed(get_stack()))
>
> I do not want to be finicky about this 'extra' DB call, but was wondering if
> someone has used the cookie-based approach and has avoided sessions
> altogether. I just wanted to understand the implications on security and
> what i need to be aware of when using cookies in this way. Any experiences?
>
> -Venkat
> http://twitter.com/venkasub
>

This query has mostly nothing to do with sessions. This query occurs
when the authentication middleware populates request.user for logged
in users. The only thing that comes from the session is the user id
and the auth backend that authorized them, which is persisted in there
at login.

The cookie based approach does not avoid sessions, it inserts the
session data into a cookie and makes it tamper proof. If using the
cookie based session, the query above would still happen at exactly
the same point in the request.

Using the cookie based session backend would only avoid a SELECT query
at the start of the request to populate the session, and a UPDATE
query at the end of the request iff the data was modified.

The downsides of using cookie based sessions is that you are limited
to how much content you can place in there, and the session contents
are visible (but not modifiable) by the user. You lose control over
storage of the session, meaning you cannot change things in the
session (or even delete it) without the user presenting themselves at
your website.

Most of these are documented in the docs for cookie based sessions:

https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.