session data should always contain the expiry date
|Reported by:||Aymeric Augustin||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Currently, session data only contains the expiry date when it has been explicitly set.
As a consequence, session backends are required to store the expiration date as metadata to determine if the session has or hasn't expired:
- the cache backend transmits the expiry age to the cache server
- the database backend store the expiry date next to the data
- the file backend doesn't store the expiry date at all (see #18194) — it can be rebuilt from the file's mtime but that sounds fragile
- the signed_cookies backend implements its own timestamping and signing
SessionBase already signs the session data (to prevent code execution attacks in case the pickled session data was compromised), and it timestamps it when an explicit expiry date is set.
I propose that
SessionBase always timestamp and sign session data. This would simplify session expiry handling. The signed_cookies backend would no longer need to perform its own timestamping and signing.