id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
18194	File-based session never expire	Edwin	Aymeric Augustin	"Unlike other session backends, session expiry is never checked for file-based session when loading a session. The consequence of this is that, although browser will not send an expired cookie with Django session ID, user can workaround this by modifying his system time so the browser still sends the expired cookie. Since Django doesn't check for the session expiry on the server, this expired session ID is seen as valid to Django.

I am running 1.3.1, but looking at 1.4 source, the bug is still there. Looking at the source code, this loading method should check for session expiry:

{{{
def load(self):                                                  
    session_data = {}
    try:
        session_file = open(self._key_to_file(), ""rb"")
        try:
            file_data = session_file.read()
            # Don't fail if there is no data in the session file.
            # We may have opened the empty placeholder file.
            if file_data:
                try:
                    session_data = self.decode(file_data)
                except (EOFError, SuspiciousOperation):
                    self.create()
        finally:
            session_file.close()
    except IOError:
        self.create()
    return session_data
}}}


The bug was first brought up in the mailing list:
[https://groups.google.com/forum/#!msg/django-developers/tB_F9rRx7Lg/y70AEdejud8J]"	Bug	closed	contrib.sessions	dev	Release blocker	fixed		crodjer@… tomas.ehrlich@…	Ready for checkin	1	0	0	0	0	0