id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3716	[patch] Introducing newsessions	Anton Khalikov <anton@…>	Adrian Holovaty	"Hello everyone

Firstly, there is an old ticket #1180 which was reopened by me today. The problem with current sessions is that there is a chance to get session duplicate 'by design' because there is a time between generating a new session id and checking it to be clean and actually save new session with this id to db. So, any django-powered project with high traffic.

newsessions is a fork of old sessions but it has completely different approach to the way of generating new sessions: it actually creates a new empty session with unique id in database and returns it so there is 100% guarantee that there will be no duplicates.

Also, there is another problem in sessions module: if any malicious user scans network traffic, there is a chance for him to get one's session id and successfully use it because django has no mechanisms to check for IP from where a session was created and from where it is actually used. Ofcourse, newsessions has no such problem because of built-in ip checking :)

newsession module uses other table than django_session so everyone who wants to try this module doesn't need to break anything. Everything you need is to change django.contrib.session.* to django.contrib.newsession.* in your settings.py"		closed	Core (Other)	dev		duplicate			Design decision needed	1	0	0	0	0	0