How to set or get a cookie value in django

Question

This is my code:

from django.shortcuts import render_to_response, get_object_or_404
from django.template import RequestContext
from django import http
from django.http import HttpResponse 

def main(request, template_name='index.html'):
    HttpResponse.set_cookie('logged_in_status', 'zjm1126')
    context ={
              'a':a,
              'cookie':HttpResponse.get_cookie('logged_in_status'),
    }

    return render_to_response(template_name, context)
    #return http.HttpResponsePermanentRedirect(template_name)

It raises this exception:

unbound method set_cookie() must be called with HttpResponse instance as first argument (got str instance instead)

What can I do?

score 148 · Accepted Answer · edited Sep 05 '16 at 09:44

148

You can't just start calling methods on the HttpResponse class, you have to instantiate it e.g. response = HttpResponse("Hello World"), call the cookie method, and then return it from your view.

response = render_to_response(template_name, context)

response.set_cookie('logged_in_status', 'never_use_this_ever') 
return response
# remember my other answer: 
# it's a terrrible idea to set logged in status on a cookie.

To get the cookie:

request.COOKIES.get('logged_in_status') 
# remember, this is a terrible idea.

edited Sep 05 '16 at 09:44

0xc0de

8,028
5
49
75

answered Feb 25 '11 at 04:41

Yuji 'Tomita' Tomita

115,817
29
282
245

2

It's OK to set logged in status (I do it all the time) just don't use it in server side code. – Blaze Nov 30 '13 at 01:40
3

where is your other answer and why its not okay? – avi Jun 03 '15 at 15:46
15

@avi, I'm not sure where my other answer is, but it's a terrible idea because cookies can be easily modified by clients, therefore using a cookie to determine if a user is logged in is extremely insecure. I could easily set my cookie `logged_in_status` to True without logging in. – Yuji 'Tomita' Tomita Jun 03 '15 at 23:17
4

The point being: don't make it a boolean flag, but a session_id of some sort. So the client can't just "decide" it is logged-in. Of course auth does this for you. – Scott Smith Jan 05 '16 at 18:00
1

Definitely do NOT send your session id https://docs.djangoproject.com/en/1.10/ref/settings/#sessions "if your code depends on reading session cookies from JavaScript, you’re probably doing it wrong." Also, cookies can't be modified by clients if they're sent with the HTTPOnly flag. "Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it)."i – cs01 Nov 06 '16 at 14:50
Thanks so much.. Really nice – Sunny Chaudhari May 09 '17 at 09:14
6

@cs01, "Also, cookies can't be modified by clients if they're sent with the HTTPOnly flag". This is only for browser clients. Manipulating httponly cookies outside of the browser is pretty straightforward, so although you are mostly correct I don't think it is good to assume that HTTPOnly cookies are safe from tampering. I agree with your other points though. – Phillip Martin Apr 02 '18 at 19:12
1

You can also set a default value if the cookie does not/yet exist - request.COOKIES.get('key', 'default') – Padawan Mar 09 '20 at 19:44

score 2 · Answer 2 · answered Jan 20 '23 at 16:50

2

In case you want the raw cookie string (tested with Django 4.1)

request.META.get('HTTP_COOKIE')

answered Jan 20 '23 at 16:50

Arnaud P

12,022
7
56
67

How to set or get a cookie value in django

2 Answers2

Linked