Metadata-Version: 2.1
Name: django-session-header-11
Version: 1.0.1
Summary: Identify the Django Session by a Header
Home-page: https://github.com/ryanhiebert/django-session-header
License: MIT
Author: Ryan Hiebert
Author-email: ryan@ryanhiebert.com
Requires-Python: >=3.6,<4.0
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Provides-Extra: drf
Requires-Dist: django (>=1.11,<2.0)
Requires-Dist: djangorestframework (>=3.9,<4.0); extra == "drf"
Project-URL: Repository, https://github.com/ryanhiebert/django-session-header
Description-Content-Type: text/x-rst

Django Session Header: Identify the session through a header
============================================================

There are some situations where the browser
may not allow any cookies at all to be used.
In those cases, we would like to be able to fall back
to something that is both secure, and capable.
This package allows you to manually pass the
sessionid using a header, so that you can continue
to use Django's excellent session management.

It extends Django's built-in sessions to support
sessions in places where cookies are not allowed.
For most views, the handling will be seamless.
Those that need to have sessions that persist despite the
absence of cookies, there are a few extra features.


Usage
=====

First, install the package.

.. code-block:: sh

    pip install django-session-header

Replace ``django.contrib.sessions.middleware.SessionMiddleware``
in your ``settings.py`` with the following:

.. code-block:: python

    MIDDLEWARE_CLASSES = [
       # ...
       # 'django.contrib.session.middleware.SessionMiddleware',
       'django_session_header.middleware.SessionMiddleware',
    ]

And replace the Django Rest Framework ``SessionAuthentication``
class with ``django_session_header.authentication.SessionAuthentication``:

.. code-block:: python

    REST_FRAMEWORK = {
        'DEFAUlT_AUTHENTICATION_CLASSES': [
            # ...
            # 'rest_framework.authentication.SessionAuthentication',
            'django_session_header.authentication.SessionAuthentication',
        ]
    }

If a session was obtained via a session header,
then ``request.session.csrf_exempt`` will be ``True``.
You can use this to conditionally apply CSRF protection.
Or, if you prefer, you can replace Django's normal CSRF middleware
with ``django_session_header.middleware.CsrfViewMiddleware``:

.. code-block:: python

    MIDDLEWARE_CLASSES = [
        # ...
        # 'django.middleware.csrf.CsrfViewMiddleware',
        'django_session_header.middleware.CsrfViewMiddleware',
    ]

The ``sessionid`` will be available in the ``X-SessionID`` response header,
and you can now set the ``X-SessionID`` header on the request manually
to avoid needing cookies to power your sessions.

