Monday, June 3, 2013

Re: session_key varies

On Mon, Jun 3, 2013 at 11:48 AM, Wim Feijen <wim@go2people.nl> wrote:
> Hi,
>
> Is it normal that a session_key varies when a user is not logged in? And if
> so, should I then use request.COOKIES instead to store information in?
>
> In one of my projects, users can order a calendar and upload their own
> photos, one for each month. In between, I like to keep track of which photos
> have been uploaded to a certain calendar. Users don't need to login to do
> this.
>
> First, I was using the session_key to keep track of a calendar order, but I
> noticed that the key kept on varyingr when a colleague on a Mac clicked a
> button.
>
> Now I am wondering whether this is normal behavior, or can I do something to
> prevent it.
>
> And should I use request.COOKIES instead?
>
> Thanks for your help!
>
> Wim
>

Hi Wim

In fact, what happens is that the session id will not be fixed unless
the session has been persisted, ie something has been put inside the
session and the session saved.

Basically, the code flow is like this:

Session backend initiated with session id=None
You print out/access request.session.session_id
Accessing the session id if there is no current session id causes a
new session id to be generated.
The session referred to by the session id is only persisted into the
database if the session is modified.
Simply accessing the session id is not sufficient to mark the session
as modified
Since the session was not saved, the session cookie is not sent to the client.
The client reloads the page, with no session id cookie
Session backend initiated with session id=None

Probably in your unauthenticated scenario, the session is completely
untouched, and therefore the (apparent) session id fluctuates between
requests, because a new session id is created for each request until
something on the request uses the session.

Cheers

Tom

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)