Code

#19155 closed Bug (invalid)

New session backend instance does not respect a session_key parameter.

Reported by: niwi Owned by: nobody
Component: contrib.sessions Version: 1.4
Severity: Normal Keywords:
Cc: niwi@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When I create an instance of the backend session with a specified key, if this key does not exist, creates a new key without respecting the one I specifically forced.

Is appropriate behavior? In my point of view, No.
This complicates a lot to create sessions with specific keys and forces me to do ugly hacks. That's because I have to access the low level API specific backend to create them the key. (This generates backend dependent code)

I hope I have explained well.

Test cases to reproduce the bug: https://github.com/niwibe/django/compare/bug/session-key

Attachments (0)

Change History (2)

comment:1 Changed 18 months ago by niwi

  • Cc niwi@… added
  • Has patch set
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

I added to the same branch a possible solution. Pass all tests.

comment:2 Changed 18 months ago by lrekucki

  • Resolution set to invalid
  • Status changed from new to closed
  • Triage Stage changed from Unreviewed to Design decision needed

Judging by the comment on the test you modified:

     def test_invalid_key(self):
         # Submitting an invalid session key (either by guessing, or if the db has
         # removed the key) results in a new key being generated.

and the docs:

In order to prevent session fixation attacks, sessions keys that don't exist are regenerated.

it's certainly not a bug (because it works as documented and we test for it), thus closing.

I don't see an obvious use case for creating sessions with explicit keys, so if you decide to reopen this ticket as a feature request, please describe yours in more detail.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.