I have not found a way to make changes in the auth package that prevent session creation. As soon as a user is looked up (even an Anonymous user), a session record is created.
However, I have found an additional change in the horizon middleware can help. This change is needed in process_response, at the end of the method. This means it is one of the last things called. The code to add is:
if not request.user.is_authenticated(): request.session.delete(request.session.session_key)
I have not found a way to make changes in the auth package that prevent session creation. As soon as a user is looked up (even an Anonymous user), a session record is created.
However, I have found an additional change in the horizon middleware can help. This change is needed in process_response, at the end of the method. This means it is one of the last things called. The code to add is:
if not request. user.is_ authenticated( ):
request. session. delete( request. session. session_ key)
For a db backed session, this calls: /github. com/django/ django/ blob/master/ django/ contrib/ sessions/ backends/ db.py#L70
https:/
I am not sure how this works with the signed cookie base sessions, or even in the memcached sessions. Would this be an acceptable approach?