django : don't return cookie for a particular endpoint

manpreet Best Answer 2 years ago

I need to return a response from Django without returning a cookie.

I'm trying to implement a webhook client API that requires:

• the use of https
• response within 5 seconds
• no body in the response
• no cookies in the response headers
• a 401 unauthorised status code for invalid hmac signatures

I'm working on Django 1.10 (soon to be upgraded to 2.x) where the rest of the app is protected by user validation via sessions.

Part of the endpoint view is as follows:

response200 = HttpResponse(status=200)
response401 = HttpResponse(status=401)
response401.close()  # attempt not to set cookie

signature = request.META.get('HTTP_WEBHOOK_SIGNATURE')

if not request.method == 'POST':
    return response401
if not signature:
    return response401

and so on.

However my attempt to avoid setting the session using response401.close() doesn't work. I've also tried del response401['Set-Cookie']see Django docs

The cookie LocalTest... is still set in this curl session:

$ curl -d "param1=value1&param2=value2" \
       -H "webhook-signature: $SIGVAL" \
       -H "Content-Type: application/x-www-form-urlencoded" \
       -X POST http://127.0.0.1:8000/invoices/webhookendpoint \
       -w "\n" -v
...
* Connected to 127.0.0.1 (127.0.0.1) port 8000 (#0)
> POST /invoices/webhookendpoint HTTP/1.1
> Host: 127.0.0.1:8000
> User-Agent: curl/7.52.1
> Accept: */*
> x-xero-signature: ZSlYlcsLbYmas53uHNrBFiVL0bLbIKetQI6x8JausfA=n
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 27
> 
* upload completely sent off: 27 out of 27 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Date: Thu, 11 Apr 2019 08:32:50 GMT
< Server: WSGIServer/0.1 Python/2.7.13
< Vary: Cookie
< Content-Type: text/html; charset=utf-8
< Set-Cookie:  LocalTest=gwx7jhsshy2qvtct1rmzv86h7xshe6ot; httponly; Path=/
< 
* Curl_http_done: called premature == 0
* Closing connection 0

manpreet 2 years ago

It appears that this works:

# ensure no cookie header is set
del request.session
response200 = HttpResponse(status=200)
response401 = HttpResponse(status=401)
...

as shown in the curl response:

< HTTP/1.0 200 OK
< Date: Thu, 11 Apr 2019 08:49:28 GMT
< Server: WSGIServer/0.1 Python/2.7.13
< Content-Type: text/html; charset=utf-8
< 

Naturally, if you go to this endpoint as a logged in user, you will have to log in again.