Opened 6 years ago

Closed 6 years ago

#19155 closed Bug (invalid)

New session backend instance does not respect a session_key parameter.

Reported by: Andrei Antoukh Owned by: nobody
Component: contrib.sessions Version: 1.4
Severity: Normal Keywords:
Cc: niwi@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


When I create an instance of the backend session with a specified key, if this key does not exist, creates a new key without respecting the one I specifically forced.

Is appropriate behavior? In my point of view, No.
This complicates a lot to create sessions with specific keys and forces me to do ugly hacks. That's because I have to access the low level API specific backend to create them the key. (This generates backend dependent code)

I hope I have explained well.

Test cases to reproduce the bug:

Change History (2)

comment:1 Changed 6 years ago by Andrei Antoukh

Cc: niwi@… added
Has patch: set

I added to the same branch a possible solution. Pass all tests.

comment:2 Changed 6 years ago by Łukasz Rekucki

Resolution: invalid
Status: newclosed
Triage Stage: UnreviewedDesign decision needed

Judging by the comment on the test you modified:

     def test_invalid_key(self):
         # Submitting an invalid session key (either by guessing, or if the db has
         # removed the key) results in a new key being generated.

and the docs:

In order to prevent session fixation attacks, sessions keys that don't exist are regenerated.

it's certainly not a bug (because it works as documented and we test for it), thus closing.

I don't see an obvious use case for creating sessions with explicit keys, so if you decide to reopen this ticket as a feature request, please describe yours in more detail.

Note: See TracTickets for help on using tickets.
Back to Top