Opened 12 years ago
Last modified 8 years ago
#19201 new Cleanup/optimization
session data should always contain the expiry date
| Reported by: | Aymeric Augustin | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | andreas@… | Triage Stage: | Accepted |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently, session data only contains the expiry date when it has been explicitly set.
As a consequence, session backends are required to store the expiration date as metadata to determine if the session has or hasn't expired:
- the cache backend transmits the expiry age to the cache server
- the database backend store the expiry date next to the data
- the file backend doesn't store the expiry date at all (see #18194) — it can be rebuilt from the file's mtime but that sounds fragile
- the signed_cookies backend implements its own timestamping and signing
SessionBase already signs the session data (to prevent code execution attacks in case the pickled session data was compromised), and it timestamps it when an explicit expiry date is set.
I propose that SessionBase always timestamp and sign session data. This would simplify session expiry handling. The signed_cookies backend would no longer need to perform its own timestamping and signing.
Change History (7)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
https://github.com/django/django/pull/453 shares some ideas with this ticket.
comment:3 by , 12 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
comment:6 by , 12 years ago
| Triage Stage: | Design decision needed → Accepted |
|---|
A helpful reference on session expiry implementation: https://code.djangoproject.com/ticket/18194#comment:12
comment:7 by , 8 years ago
| Cc: | added |
|---|
This refactoring seems necessary to enforce signed_cookies expiry when a non-default expiry date is set.