Opened 2 years ago

Last modified 2 years ago

#19201 new Cleanup/optimization

session data should always contain the expiry date

Reported by: aaugustin Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, session data only contains the expiry date when it has been explicitly set.

As a consequence, session backends are required to store the expiration date as metadata to determine if the session has or hasn't expired:

  • the cache backend transmits the expiry age to the cache server
  • the database backend store the expiry date next to the data
  • the file backend doesn't store the expiry date at all (see #18194) — it can be rebuilt from the file's mtime but that sounds fragile
  • the signed_cookies backend implements its own timestamping and signing

SessionBase already signs the session data (to prevent code execution attacks in case the pickled session data was compromised), and it timestamps it when an explicit expiry date is set.

I propose that SessionBase always timestamp and sign session data. This would simplify session expiry handling. The signed_cookies backend would no longer need to perform its own timestamping and signing.

Change History (6)

comment:1 Changed 2 years ago by aaugustin

This refactoring seems necessary to enforce signed_cookies expiry when a non-default expiry date is set.

comment:2 Changed 2 years ago by aaugustin

https://github.com/django/django/pull/453 shares some ideas with this ticket.

comment:3 Changed 2 years ago by aaugustin

  • Triage Stage changed from Unreviewed to Design decision needed

comment:4 Changed 2 years ago by Aymeric Augustin <aymeric.augustin@…>

In 88393357a6839fb4ce57793523bc25b17dc188a4:

[1.5.x] Marked cookies-based session expiry test as an expected failure.

Refs #19201.

Backport of 58337b3 from master.

comment:5 Changed 2 years ago by Aymeric Augustin <aymeric.augustin@…>

In 58337b32236eb57d82bf62ed077add3ec69e37f2:

Marked cookies-based session expiry test as an expected failure.

Refs #19201.

comment:6 Changed 2 years ago by aaugustin

  • Triage Stage changed from Design decision needed to Accepted

A helpful reference on session expiry implementation: https://code.djangoproject.com/ticket/18194#comment:12

Note: See TracTickets for help on using tickets.
Back to Top