Opened 12 years ago
Closed 12 years ago
#19155 closed Bug (invalid)
New session backend instance does not respect a session_key parameter.
| Reported by: | Andrei Antoukh | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 1.4 |
| Severity: | Normal | Keywords: | |
| Cc: | niwi@… | Triage Stage: | Design decision needed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When I create an instance of the backend session with a specified key, if this key does not exist, creates a new key without respecting the one I specifically forced.
Is appropriate behavior? In my point of view, No.
This complicates a lot to create sessions with specific keys and forces me to do ugly hacks. That's because I have to access the low level API specific backend to create them the key. (This generates backend dependent code)
I hope I have explained well.
Test cases to reproduce the bug: https://github.com/niwibe/django/compare/bug/session-key
Change History (2)
comment:1 by , 12 years ago
| Cc: | added |
|---|---|
| Has patch: | set |
comment:2 by , 12 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
| Triage Stage: | Unreviewed → Design decision needed |
Judging by the comment on the test you modified:
def test_invalid_key(self): # Submitting an invalid session key (either by guessing, or if the db has # removed the key) results in a new key being generated.
and the docs:
In order to prevent session fixation attacks, sessions keys that don't exist are regenerated.
it's certainly not a bug (because it works as documented and we test for it), thus closing.
I don't see an obvious use case for creating sessions with explicit keys, so if you decide to reopen this ticket as a feature request, please describe yours in more detail.
I added to the same branch a possible solution. Pass all tests.