How sessions work in NAV vs. Django

[hmpf]

I've made a minimal django site to test how NAV sessions work compared to how Django sessions work. I'm using this discussion-thread as a notebook.

To follow along, you need at minimum:

INSTALLED_APPS = [
    'django.contrib.sessions',
    'mytestsite.mytestapp', 
]

and

MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
]

and comment out 'django.contrib.auth.context_processors.auth' and 'django.contrib.messages.context_processors.messages' in TEMPLATES -> OPTIONS -> context_processors.

in settings.py.

(It is necessary to remove django.contrib.auth.context_processors.auth because it needs the django.contrib.contenttypes app installed which means lots of extra database tables. This is because the non-database backed user AnonynousUser is in a file that imports ContentType from django.contrib.contenttypes.models...)

[hmpf]

In Django, no session cookie is set by default. The moment request.session is no longer empty, the cookie is set.

[hmpf]

In NAV, the session cookie is always set because request.account is always set to NAV's database-backed anonymous user.

[hmpf]

Changing SESSION_SERIALIZER:

Given that a session cookie has been set, the setting has been changed, and the server restarted:

• If visiting a page that does nothing with the cookie, nothing happens
• If visiting a page that explicitly reads or writes to the cookie, you get an exception that'll depend on the new serializer in question

Running python manage.py clearsessions does not fix the problem.

[hmpf]

There does not seem to be a howto on how to change from one serializer to another in a production system. If not using cookies as session storage, the old PickleSerializer should be safe to use. We could vendor it and add a check that it is not used together with SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'.

[hmpf]

I guess if we really needed to switch session serializers we could add a middleware or context-processor that caught the exception, flushed the session, then reloaded the wanted page.