Code

Opened 2 years ago

Closed 2 years ago

#17225 closed Cleanup/optimization (duplicate)

Salt used for cookie-based sessions isn't consistent with module name

Reported by: julien Owned by: nobody
Component: contrib.sessions Version:
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by julien)

The salt used for dumping/loading cookie-based sessions is 'django.contrib.sessions.backends.cookies':

https://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/signed_cookies.py?rev=16466#L92

https://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/signed_cookies.py?rev=16466#L36

It'd make more sense if it were 'django.contrib.sessions.backends.signed_cookies' to reflect the actual module name.

Attachments (0)

Change History (4)

comment:1 Changed 2 years ago by julien

  • Description modified (diff)
  • Summary changed from Salt to Salt used for cookie-based sessions isn't consistent with module name

comment:2 Changed 2 years ago by lukeplant

Changing this would break everyone's signed session cookies. This feature was added since 1.3, so we are still allowed to change it, but we might not want to for the sake of those following trunk.

The possibility of a future clash here is pretty minimal - it would only happen if we also add a django.contrib.sessions.backends.cookies module, which presumably would be a cookie backend without signing (what would we want that?), and then also change our mind and use signing with it after all!

comment:3 Changed 2 years ago by julien

Yes, this "problem" really isn't a huge deal. If we don't make the change, then at least a comment could be added in the code, explaining that the inconsistency was kept for "backwards compatibility" reasons.

If one uses trunk in production then one should be aware that they're exposing themselves to occasional breakages. For that we reason then we could allow ourselves to make the change before 1.4 gets released.

comment:4 Changed 2 years ago by jezdez

  • Resolution set to duplicate
  • Status changed from new to closed

Actually this was fixed as part of r17101 (#17223).

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.