django-cookieless provides a sessions implementation and decorator class for views to allow for forms to maintain state without using cookies by posting the session id between forms, or via url rewriting.

Django requires cookies to maintain session, and uses these as the basis for authorisation.

This package is designed to cater for anonymous user session maintenance, without cookies. The use case being the desire to avoid setting cookies (due to privacy legislation) for anonymous users responding to forms or otherwise requiring session maintenance.

The package also caters for multiple sessions for a single browser, and session handling for browsers with cookies disabled.

It has a number of security features to reduce the security issues that are associated with not using cookies. These include encryption of the session ids, separation of session ids used without cookies to those from cookie transport, to prevent sessions connected to users be passed via cookieless methods. Addition of client id and browser to the encryption secret to tie sessions to a particular client as far as possible without a cookie.