1
0
mirror of https://github.com/django/django.git synced 2024-12-23 09:36:06 +00:00

Added 'Session IDs in URLs' and 'Session cookies' sections to docs/sessions.txt

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1044 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty 2005-11-02 14:26:55 +00:00
parent 23bb8c4a4b
commit 27efe14c54

View File

@ -158,6 +158,39 @@ This is necessary because the dictionary is stored in an encoded format::
>>> s.get_decoded()
{'user_id': 42}
Session cookies
===============
A few `Django settings`_ give you control over the session cookie:
SESSION_COOKIE_AGE
------------------
Default: ``1209600`` (2 weeks, in seconds)
The age of session cookies, in seconds.
SESSION_COOKIE_DOMAIN
---------------------
Default: ``None``
The domain to use for session cookies. Set this to a string such as
``".lawrence.com"`` for cross-domain cookies, or use ``None`` for a standard
domain cookie.
SESSION_COOKIE_NAME
-------------------
Default: ``'hotclub'``
The name of the cookie to use for sessions. This can be whatever you want.
``'hotclub'`` is a reference to the Hot Club of France, the band Django
Reinhardt played in.
.. _Django settings: http://www.djangoproject.com/documentation/settings/
Technical details
=================
@ -170,3 +203,12 @@ Technical details
data, it won't send a session cookie.
.. _`the pickle module`: http://www.python.org/doc/current/lib/module-pickle.html
Session IDs in URLs
===================
The Django sessions framework is entirely, and solely, cookie-based. It does
not fall back to putting session IDs in URLs as a last resort, as PHP does.
This is an intentional design decision. Not only does that behavior make URLs
ugly, it makes your site vulnerable to session-ID theft via the "Referer"
header.