It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:
- The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
- Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).
I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior.
