Opened 13 years ago

Closed 13 years ago

#17225 closed Cleanup/optimization (duplicate)

Salt used for cookie-based sessions isn't consistent with module name

Reported by: Julien Phalip Owned by: nobody
Component: contrib.sessions Version:
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Julien Phalip)

The salt used for dumping/loading cookie-based sessions is 'django.contrib.sessions.backends.cookies':

https://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/signed_cookies.py?rev=16466#L92

https://code.djangoproject.com/browser/django/trunk/django/contrib/sessions/backends/signed_cookies.py?rev=16466#L36

It'd make more sense if it were 'django.contrib.sessions.backends.signed_cookies' to reflect the actual module name.

Change History (4)

comment:1 by Julien Phalip, 13 years ago

Description: modified (diff)
Summary: SaltSalt used for cookie-based sessions isn't consistent with module name

comment:2 by Luke Plant, 13 years ago

Changing this would break everyone's signed session cookies. This feature was added since 1.3, so we are still allowed to change it, but we might not want to for the sake of those following trunk.

The possibility of a future clash here is pretty minimal - it would only happen if we also add a django.contrib.sessions.backends.cookies module, which presumably would be a cookie backend without signing (what would we want that?), and then also change our mind and use signing with it after all!

comment:3 by Julien Phalip, 13 years ago

Yes, this "problem" really isn't a huge deal. If we don't make the change, then at least a comment could be added in the code, explaining that the inconsistency was kept for "backwards compatibility" reasons.

If one uses trunk in production then one should be aware that they're exposing themselves to occasional breakages. For that we reason then we could allow ourselves to make the change before 1.4 gets released.

comment:4 by Jannis Leidel, 13 years ago

Resolution: duplicate
Status: newclosed

Actually this was fixed as part of r17101 (#17223).

Note: See TracTickets for help on using tickets.
Back to Top