class documentation
class SessionMechanism(Names): (source)
Mechanisms which can be used to identify and authenticate a session.
Class Variable |
|
The Cookie session mechanism involves looking up the session identifier via an HTTP cookie. Session objects retrieved via this mechanism may be vulnerable to CSRF attacks and therefore must have CSRF protections applied to them. |
Class Variable |
|
The Header mechanism retrieves the session identifier via a separate header such as "X-Auth-Token". Since a different-origin site in a browser can easily send a form submission including cookies, but ... |
Cookie =
(source)
The Cookie session mechanism involves looking up the session identifier via an HTTP cookie. Session objects retrieved via this mechanism may be vulnerable to CSRF attacks and therefore must have CSRF protections applied to them.
Header =
(source)
The Header mechanism retrieves the session identifier via a separate header such as "X-Auth-Token". Since a different-origin site in a browser can easily send a form submission including cookies, but can't easily put stuff into other arbitrary headers, this does not require additional protections.