id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 14634 Sessions are unnecessarily complex Paul McMillan Paul McMillan "Django includes [http://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends several backends] for storing session data. None of these store data in a manner that is accessible to clients. The backends rely on trusted infrastructure: the database, the cache, or the filesystem. For all of recorded history (since the earliest svn checkins), Django has [http://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/base.py#L91 stored session data in an obfuscated format]. We pickle the data, hash it, and store the hash + base64(data). To retrieve session data, [http://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/base.py#L97 we do the opposite]: pull the string from our trusted backend, hash the data, compare to the stored hash, and then if it matches, return it. My best guess is that this is a holdover from an earlier era when Ellington stored session data client side in cookies. None of the default backends support this, and it [http://code.djangoproject.com/ticket/14579 may not currently be possible]. This means that we are running significant extra code every time we hit the session store. We trust the supplied backends, but we don't know that a user hasn't subclassed [http://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/base.py the base backend] to depend on this hashing behavior. I propose that we rework the base backend to include an `InsecureSessionBase` which our provided backends subclass. This new class will provide simple key/value behavior without the hashing. We will retain the current hashing behavior in the `SessionBase` class for backwards compatibility, and it will inherit from `InsecureSessionBase` for all other methods." closed contrib.sessions 1.2 wontfix Accepted 0 0 0 0 0 0