Browse files

Added 'Session IDs in URLs' and 'Session cookies' sections to docs/se…


git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 23bb8c4 commit 27efe14c54f3711fcb21cd2d5187be21c94b9117 @adrianholovaty adrianholovaty committed Nov 2, 2005
Showing with 42 additions and 0 deletions.
  1. +42 −0 docs/sessions.txt
@@ -158,6 +158,39 @@ This is necessary because the dictionary is stored in an encoded format::
>>> s.get_decoded()
{'user_id': 42}
+Session cookies
+A few `Django settings`_ give you control over the session cookie:
+Default: ``1209600`` (2 weeks, in seconds)
+The age of session cookies, in seconds.
+Default: ``None``
+The domain to use for session cookies. Set this to a string such as
+``""`` for cross-domain cookies, or use ``None`` for a standard
+domain cookie.
+Default: ``'hotclub'``
+The name of the cookie to use for sessions. This can be whatever you want.
+``'hotclub'`` is a reference to the Hot Club of France, the band Django
+Reinhardt played in.
+.. _Django settings:
Technical details
@@ -170,3 +203,12 @@ Technical details
data, it won't send a session cookie.
.. _`the pickle module`:
+Session IDs in URLs
+The Django sessions framework is entirely, and solely, cookie-based. It does
+not fall back to putting session IDs in URLs as a last resort, as PHP does.
+This is an intentional design decision. Not only does that behavior make URLs
+ugly, it makes your site vulnerable to session-ID theft via the "Referer"

0 comments on commit 27efe14

Please sign in to comment.