Django session authentication and disabled cookies

No, authentication is cookie-based - session ID stored in cookies!

The Django sessions framework is entirely, and solely, cookie-based. It does not fall back to putting session IDs in URLs as a last resort, as PHP does. This is an intentional design decision. Not only does that behavior make URLs ugly, it makes your site vulnerable to session-ID theft via the “Referer” header.

There is workarounds, for example you can put the session ID in the query string. Check this article: http://www.stereoplex.com/blog/cookieless-django-sessions-and-authentication-with

Warning from author: don't do what I'm about to describe unless you understand the potential security consequences

Middleware that get session id from request.GET and put it in request.COOKIES (FakeSessionCookie middleware has to be placed before the SessionMiddleware in settings.py):

from django.conf import settingsclass FakeSessionCookieMiddleware(object):    def process_request(self, request):        if not request.COOKIES.has_key(settings.SESSION_COOKIE_NAME) \            and request.GET.has_key(settings.SESSION_COOKIE_NAME):            request.COOKIES[settings.SESSION_COOKIE_NAME] = \                request.GET[settings.SESSION_COOKIE_NAME]

After authentication you should include session id as url (GET) parameter in all requests to server.

According to docs:

Django provides full support for anonymous sessions. The session framework lets you store and retrieve arbitrary data on a per-site-visitor basis. It stores data on the server side and abstracts the sending and receiving of cookies. Cookies contain a session ID – not the data itself... more here

django uses cookie based sessions, so without cookies authentication won't work.