21

I'm looking to disable the automatic session creation in Django for certain URLs. I have /api/* and each client that hits that gets a new Django session. Is there a way to ignore certain urls?

Mike
  • 7,769
  • 13
  • 57
  • 81

3 Answers3

23

A trivial solution to this is to have your webserver distinguish between API calls and regular calls, then have two different WSGI instances of your application: one with sessions enabled, the other with sessions disabled. (This is probably much easier with Nginx than with Apache.)

An alternative is to inherit SessionMiddleware and then edit the process functions to ignore all requests matching your criteria. Something like:

from django.contrib.sessions.middleware import SessionMiddleware

class MySessionMiddleware(SessionMiddleware):
    def process_request(self, request):
        if request.path_info[0:5] == '/api/':
            return
        super(MySessionMiddleware, self).process_request(request)

    def process_response(self, request, response):
        if request.path_info[0:5] == '/api/':
            return response
        return super(MySessionMiddleware, self).process_response(request, response)

And then edit your setting's file so that MIDDLEWARE_CLASSES contains the path to "MySessionMiddleware" and not 'django.contrib.sessions.middleware.SessionMiddleware'.

Bartek
  • 15,269
  • 2
  • 58
  • 65
Elf Sternberg
  • 16,129
  • 6
  • 60
  • 68
  • 3
    Thanks for the info. 1 caveat though. If you're using django authentication the session middleware is required. Also process_response needs to return the response. – Declan Shanaghy Nov 18 '10 at 18:57
  • 3
    This looks like what I needed. One tip: Use `if reqest.path_info.startswith('/api/')` instead of slicing the string. – Martin Vilcans Sep 06 '11 at 10:10
  • Shouldn't the process_response return the response object? def process_response(self, request, response): if request.path_info[0:5] == '/api/': return response return super(MySessionMiddleware, self).process_response(request, response) – Evan R. Oct 27 '11 at 20:42
  • 1
    @EvanR. Yes, it should, of course. I've fixed it. Thank you. (I'm spoiled by Coffeescript these days) – Elf Sternberg Oct 28 '11 at 16:06
  • 2
    I had an issue with this. I have other middleware dependent on SessionMiddleware. Now, I was thinking of inheriting those and ignoring the path as well but then it leads to even further dependency issues for a chain of other middleware. – dtc Aug 22 '13 at 22:55
  • 4
    @dtc & @Declan in my case it was AuthenticationMiddleware who was complaining about session not being present in the request. I fixed it setting `request.session = {}` before returning in the `process_request` method. – dukebody Jul 20 '15 at 10:48
  • @dukebody Thank you! That was needed for me also. – ruohola May 24 '20 at 12:04
4

I upvoted the accepted answer, but note that you can also use the decorator_from_middleware method to selectively enable middleware on a per-view basis. See the StackOverflow answers to Non-global middleware in Django for more details.

Community
  • 1
  • 1
vinod
  • 2,358
  • 19
  • 26
2

It is also possible in custom middleware, or anywhere else for that matter, to just override request.session.save method before the response is processed in SessionMiddleware, where the method is called.

request.session.save = lambda: None

Trivial, does work.

The benefit of this approach, though it is de-facto a hack, is that the session object is still accessible and can be used the usual way without need for any further changes in the code.

Jan Janský
  • 29
  • 3