From 27efe14c54f3711fcb21cd2d5187be21c94b9117 Mon Sep 17 00:00:00 2001 From: Adrian Holovaty Date: Wed, 2 Nov 2005 14:26:55 +0000 Subject: [PATCH] Added 'Session IDs in URLs' and 'Session cookies' sections to docs/sessions.txt git-svn-id: http://code.djangoproject.com/svn/django/trunk@1044 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/sessions.txt | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/sessions.txt b/docs/sessions.txt index b18ca25a2c..8aa711ea23 100644 --- a/docs/sessions.txt +++ b/docs/sessions.txt @@ -158,6 +158,39 @@ This is necessary because the dictionary is stored in an encoded format:: >>> s.get_decoded() {'user_id': 42} +Session cookies +=============== + +A few `Django settings`_ give you control over the session cookie: + +SESSION_COOKIE_AGE +------------------ + +Default: ``1209600`` (2 weeks, in seconds) + +The age of session cookies, in seconds. + +SESSION_COOKIE_DOMAIN +--------------------- + +Default: ``None`` + +The domain to use for session cookies. Set this to a string such as +``".lawrence.com"`` for cross-domain cookies, or use ``None`` for a standard +domain cookie. + +SESSION_COOKIE_NAME +------------------- + +Default: ``'hotclub'`` + +The name of the cookie to use for sessions. This can be whatever you want. + +``'hotclub'`` is a reference to the Hot Club of France, the band Django +Reinhardt played in. + +.. _Django settings: http://www.djangoproject.com/documentation/settings/ + Technical details ================= @@ -170,3 +203,12 @@ Technical details data, it won't send a session cookie. .. _`the pickle module`: http://www.python.org/doc/current/lib/module-pickle.html + +Session IDs in URLs +=================== + +The Django sessions framework is entirely, and solely, cookie-based. It does +not fall back to putting session IDs in URLs as a last resort, as PHP does. +This is an intentional design decision. Not only does that behavior make URLs +ugly, it makes your site vulnerable to session-ID theft via the "Referer" +header.