Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added 'Session IDs in URLs' and 'Session cookies' sections to docs/se…

…ssions.txt

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1044 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 27efe14c54f3711fcb21cd2d5187be21c94b9117 1 parent 23bb8c4
Adrian Holovaty authored November 02, 2005

Showing 1 changed file with 42 additions and 0 deletions. Show diff stats Hide diff stats

  1. 42  docs/sessions.txt
42  docs/sessions.txt
@@ -158,6 +158,39 @@ This is necessary because the dictionary is stored in an encoded format::
158 158
     >>> s.get_decoded()
159 159
     {'user_id': 42}
160 160
 
  161
+Session cookies
  162
+===============
  163
+
  164
+A few `Django settings`_ give you control over the session cookie:
  165
+
  166
+SESSION_COOKIE_AGE
  167
+------------------
  168
+
  169
+Default: ``1209600`` (2 weeks, in seconds)
  170
+
  171
+The age of session cookies, in seconds.
  172
+
  173
+SESSION_COOKIE_DOMAIN
  174
+---------------------
  175
+
  176
+Default: ``None``
  177
+
  178
+The domain to use for session cookies. Set this to a string such as
  179
+``".lawrence.com"`` for cross-domain cookies, or use ``None`` for a standard
  180
+domain cookie.
  181
+
  182
+SESSION_COOKIE_NAME
  183
+-------------------
  184
+
  185
+Default: ``'hotclub'``
  186
+
  187
+The name of the cookie to use for sessions. This can be whatever you want.
  188
+
  189
+``'hotclub'`` is a reference to the Hot Club of France, the band Django
  190
+Reinhardt played in.
  191
+
  192
+.. _Django settings: http://www.djangoproject.com/documentation/settings/
  193
+
161 194
 Technical details
162 195
 =================
163 196
 
@@ -170,3 +203,12 @@ Technical details
170 203
       data, it won't send a session cookie.
171 204
 
172 205
 .. _`the pickle module`: http://www.python.org/doc/current/lib/module-pickle.html
  206
+
  207
+Session IDs in URLs
  208
+===================
  209
+
  210
+The Django sessions framework is entirely, and solely, cookie-based. It does
  211
+not fall back to putting session IDs in URLs as a last resort, as PHP does.
  212
+This is an intentional design decision. Not only does that behavior make URLs
  213
+ugly, it makes your site vulnerable to session-ID theft via the "Referer"
  214
+header.

0 notes on commit 27efe14

Please sign in to comment.
Something went wrong with that request. Please try again.