Django Cookieless

Ed Crewe - Oct 2019

Overview

This package provides a sessions implementation and decorator class for views to allow for forms to maintain state without using cookies by posting the session id between forms, or via urls.

Django requires cookies to maintain session, and hence for authorisation.

This package is designed to cater for anonymous user session maintenance, without cookies.

WARNING : There are security issues with this, since it is not possible to use CSRF protection without session Cookies to maintain a separate token from that passed via the URL or form posts.

However there are cases when forms are used on a public site, where setting cookies is not desirable (due to privacy legislation <http://www.ico.gov.uk/>_), since technically they are not required for anonymous users to respond to forms. So if used, may necessitate requesting permission to set cookies, from the user.

Hence this package was devised to allow django to deliver multipage forms, without using cookies.

To ameliorate the security implications, a whitelist of allowed domains, can be set in the configuration.

Usage can also be restricted to a particular URL.

As another safety measure, handling of GET requests can be turned off, so that the encrypted session id is not present in any URLs.

Please NOTE: It is not advisable to use this package without some form of the above restrictions being in place.

For the purposes of using both cookie based and cookieless sessions together, there is a custom cookieless_signal(sender=request, created) and a 'no_cookies' flag when cookieless sessions are saved.

Both cater for hooking up custom code for handling these less secure sessions.

The package provides a decorator utility to turn off cookie setting for particular views (which also sets the csrf_exempt flag).

The package also handles the case of session handling for anonymous users with cookies disabled in the browser.

You can decorate views to prevent them setting cookies, whilst still retaining the use of Sessions. Usually this is easiest done in the urls.py of your core application ...

from cookieless.decorators import no_cookies

urlpatterns = [ ... path('somewhere/index', no_cookies(views.home)), ... re_path(r'^somewhere/page/(\d{1,6})$', no_cookies(views.page)), ...]

Note that if a number of browser tabs are open on to a site with cookieless, they will each maintain a completely separate session, since without cookies the session is tied to the session posted from the pages accessed, not the client as a whole.

In cases where this is not the desired behaviour, then it can be reduced by using URL rewriting to make any links to open other windows pass session across. However of course this also means that potentially a session can be shared across browsers, too.

Installation

To install add the package via pip or other build tool, e.g. bin/pip install django-cookieless

Then replace the standard Session in the middleware settings:

MIDDLEWARE = ( ... 'django.middleware.gzip.GZipMiddleware', ... 'django.middleware.common.CommonMiddleware', ... 'django.middleware.transaction.TransactionMiddleware', ... # 'django.contrib.sessions.middleware.SessionMiddleware', ... 'cookieless.middleware.CookielessSessionMiddleware', ...)

The following settings control its behaviour:

(see the example settings file)

1. Rewriting the response automatically rather than use manual <% session_token %> <% session_url %>

COOKIELESS['REWRITE'] = True

2. Rewrite URLs to add session id for no_cookies decorated views (if False then all page navigation must be via form posts)

COOKIELESS['USE_GET'] = True

3. Use client ip and user agent to encrypt session key, to add some sort of CSRF protection given the standard CSRF has to be disabled without cookies.

COOKIELESS['CLIENT_ID'] = True

4. If this list is populated then only hosts that are specifically whitelisted are allowed to post to the server. So any domains that the site is served over should be added to the list. However, if no referer is found, the session is reset, which will occur with a page reload. This helps protect against XSS attacks.

COOKIELESS['HOSTS'] = ['localhost', ]

5. Further security option to not find and persist cookie based sessions as cookieless ones since these may be tied to a user or other data. Instead new sessions are created for tying to cookieless data. This reduces the risk of cookieless allowing capture of a user's session - and hence privilege escalation attacks.

COOKIELESS['NO_COOKIE_PERSIST'] = True

6. Further security option to only keep a session for accessing a specific URL

COOKIELESS['URL_SPECIFIC'] = True

7. Delete any cookies that are found for a no_cookies decorated URL (could be ones set by other URLs)

COOKIELESS['DELETE_COOKIES'] = False

Tests

The test suite sets up a simple application to test cookies manually, and to run the functional tests against.

To run the tests, you may want to install from src (or your branch):

bin/pip install -e git+https://github.com/edcrewe/django-cookieless#egg=django-cookieless

Then run via:

bin/django-admin.py or manage.py test cookieless.tests --settings=cookieless.tests.settings

(The package was changed from a namespace package due to the issue with pip not installing the init for running tests when it does a nspkg.pth file instead)

cookieless/decorator.py

Because the django test browser has some session implementation specific mocking, it fails to work if used directly against cookieless, so to stop it breaking other tests cookieless checks to see if the django admin command has been called with the 'test' argument and sets settings.TESTING = True, and doesnt decorate with no_cookies if so.

To override this automatic disabling setting, just add TESTING = False, to your test settings.

Changelog

1.2 - 26th Oct 2019

• Fix breach mitigation test for Python 3 [Ed Crewe]
• Fix test settings to correct path [jonespm]
• Fix content-length and decode [C.Severance]

1.1 - 1st May 2019

• Rewrite for Python 3 and Django 2.2
• Remove xteacrypt and use cryptography

[Ed Crewe]

1.0 - 24th February 2014

• Test with latest Django 1.6.2
• Enforce session keys as strings if the session fails to save Due to the move of the session serializer to JSON in Django 1.6

[Ed Crewe]

0.9 - 18th August 2013

• Add protection against breach attack via nonce encryption http://breachattack.com/
• Added related test

[Chris Bailey]

• Remove line return at end of session id introduced by base64 encoding

[Ed Crewe]

0.8 - 4th January 2013

• Clean up some pylint
• Switch to base64 encoding to shorten encrypted session ids

0.7 - 18th December 2012

• Add a cookieless_signal to allow custom code to be hooked to cookieless sessions
• Pass a created flag for cookieless sessions to the signal
• Add a no_cookies marker key to cookieless sessions for the same reason
• Check automatic form rewrites to ensure that sessions are not already set manually
• Fix tests check of hidden session_id broken by extra space in hidden field
• Add post method for test class view so test posts don't throw HttpResponseNotAllowed
• Make the secret generated by settings options more unique

0.6 - 21st November 2012

• Never use the cookie for session for decorated views since it may break sessions passed by cookieless means

0.5 - 14th November 2012

• Only rewrite redirect URLs if USE_GET is True and its the same domain

0.4 - 9th November 2012

• Fix issue of not having no_cookies to test in process_request by getting it from urlresolvers Now we only check for cookie session where we should, and cookies cannot mess with cookieless sessions
• Make the deletion of any cookies that are passed on to the URL, an optional feature
• Use settings.TESTING based on argv to disable, instead of check for servername

0.3 - 7th November 2012

• Turn off cookieless for django test browser - since its hard coded to use dummy sessions if an alternative session provider is in use - otherwise cookieless could break other packages tests

• Add server name switch to re-enable test browser for cookieless functional tests

• Change anon user switch to be NO_COOKIE_PERSIST - ie. never use cookie originated sessions - move to process_response

• Make session use cookieless post / get first over cookies, if present

• Delete request cookies if found in response

• Refactor settings to a dictionary

• Add some tests

• Move fix for non-unicode key to the decrypt method

  [Ed Crewe]

0.2 - 6th November 2012

• Add COOKIELESS_ANON_ONLY setting to not use cookieless if a user is authorised

• Update example settings

• Add test suite

• Don't assume request META keys exist so OK with test client etc.

• Fix session decrypt with wrong secret - generates non-unicode key bug rather than new session

• Add SPECIFIC_URL option for extra security for sessions

  [Ed Crewe]

0.1 - 4th November 2012

• Initial release

• Django snippets - http://djangosnippets.org/snippets/1540/ Basis of middleware

• Add simple crypt of sessionid when used in HTML

• Call standard contrib.sessions.Session if not decorated as no_cookies

• Add CSRF exempt decorator too to ensure cookie not set by that

• Add templatetags for users who prefer manual adding of session ids

• Add settings options to configure level of security applied, e.g. whitelist of referers, no URL rewriting etc.

  [Ed Crewe, julio carlos and Ivscar (snippet), Paul Chakravarti (xteacrypt)]