'Persisting session variables across login
I want to hold information about a users preferences in a session variable. If the user chooses a preference while logged out and then later logs in, I want the preference to be maintained without needing to reselect it.
Django sessions maintain a session key in a cookie to track a users session. The way I understand it, this key is changed when a user logs in.
a) Does this mean all session variables are deleted on login or is there any sort of passover
b) In the case of not being able to save preferences across a login, is manually setting cookies the best way to proceed? I imagine a scenario like:
- while logged out, maintain preferences in cookie
- on login, copy preferences to session variable and write to db (via signal?)
- on logout, update cookies with preferences (via signal?)
Update
I managed to get this functionality by saving preferences in the User's profile object, as well as in a cookie (these preferences are not sensitive in any way). When the user is logged in, their profile setting takes preference. When not logged in, the cookie preference is chosen
Solution 1:[1]
Upon login, Django calls session.flush() or session.cycle_key(), which makes sure nothing from the old session is kept. This is a security measure that protects you against session fixation vulnerabilities. So, when applying this solution, be aware what kind of variables you want to persist.
If you want to keep some state, you'll have to restore that after the login was issued.
The solution by Chase Seibert was a great start, it was very insecure due to threadsafety issues in that code. You can find an improved version here, which is safe to use:
from functools import wraps
class persist_session_vars(object):
"""
Some views, such as login and logout, will reset all session state.
(via a call to ``request.session.cycle_key()`` or ``session.flush()``).
That is a security measure to mitigate session fixation vulnerabilities.
By applying this decorator, some values are retained.
Be very aware what kind of variables you want to persist.
"""
def __init__(self, vars):
self.vars = vars
def __call__(self, view_func):
@wraps(view_func)
def inner(request, *args, **kwargs):
# Backup first
session_backup = {}
for var in self.vars:
try:
session_backup[var] = request.session[var]
except KeyError:
pass
# Call the original view
response = view_func(request, *args, **kwargs)
# Restore variables in the new session
for var, value in session_backup.items():
request.session[var] = value
return response
return inner
and now you can write:
from django.contrib.auth import views
@persist_session_vars(['some_field'])
def login(request, *args, **kwargs):
return views.login(request, *args, **kwargs)
And for class based views (django-allauth):
import allauth.account.views as auth_views
from django.utils.decorators import method_decorator
@method_decorator(persist_session_vars(['some_field']), name='dispatch')
class LoginView(auth_views.LoginView):
pass
and use that view in the url patterns:
import allauth.urls
from django.conf.urls import include, url
from . import views
urlpatterns = [
# Views that overlap the default:
url(r'^login/$', views.LoginView.as_view(), name='account_login'),
# default allauth urls
url(r'', include(allauth.urls)),
]
Solution 2:[2]
user data that persists sounds like it should live in something like a UserProfile model
Solution 3:[3]
I actually think your initial design made sense. If you want to save some session variables across the login/logout boundary, you can do something like this.
from functools import wraps
class persist_session_vars(object):
""" Some views, such as login and logout, will reset all session state.
However, we occasionally want to persist some of those session variables.
"""
session_backup = {}
def __init__(self, vars):
self.vars = vars
def __enter__(self):
for var in self.vars:
self.session_backup[var] = self.request.session.get(var)
def __exit__(self, exc_type, exc_value, traceback):
for var in self.vars:
self.request.session[var] = self.session_backup.get(var)
def __call__(self, test_func, *args, **kwargs):
@wraps(test_func)
def inner(*args, **kwargs):
if not args:
raise Exception('Must decorate a view, ie a function taking request as the first parameter')
self.request = args[0]
with self:
return test_func(*args, **kwargs)
return inner
You would throw this decorator on whatever view you're calling auth.login/logout from. If you're delegating to the built-in view for those, you can easily wrap them.
from django.contrib.auth import views
@persist_session_vars(['HTTP_REFERER'])
def login(request, *args, **kwargs):
return views.login(request, *args, **kwargs)
Solution 4:[4]
You can create a form Mixin that allows you to persist form values to the user's session (which doesn't require them being logged in). This is useful for things such as filter/sorting options on a public table-view report, where you want to keep their filter options persistent across refreshes.
View:
def list_states(request):
if request.method == 'GET':
form = StateListFilterForm().load_from_session(request.session)
elif request.method == 'POST':
form = StateListFilterForm(request.POST)
form.persist_to_session()
return render('forms/state_list.html', RequestContext(request, {'state_form': form})
Form:
class PersistableMixin:
def persist_to_session(form, session):
for key in form.fields.keys():
val = getattr(form, 'cleaned_data', form.data).get(key, None)
if val: # will not store empty str values
session[key] = val
return True
def load_from_session(form, session):
for key in form.fields.keys():
saved_val = session.get(key, '')
if saved_val: # will not load empty str values
form.fields[key].initial = saved_val
return form
class StateListFilterForm(forms.Form, PersistableMixin):
states = forms.MultipleChoiceField(required=False, choices=US_STATES)
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Jarad |
| Solution 2 | second |
| Solution 3 | Chase Seibert |
| Solution 4 |