Code

Opened 21 months ago

Last modified 16 months ago

#19201 new Cleanup/optimization

session data should always contain the expiry date

Reported by: aaugustin Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, session data only contains the expiry date when it has been explicitly set.

As a consequence, session backends are required to store the expiration date as metadata to determine if the session has or hasn't expired:

  • the cache backend transmits the expiry age to the cache server
  • the database backend store the expiry date next to the data
  • the file backend doesn't store the expiry date at all (see #18194) — it can be rebuilt from the file's mtime but that sounds fragile
  • the signed_cookies backend implements its own timestamping and signing

SessionBase already signs the session data (to prevent code execution attacks in case the pickled session data was compromised), and it timestamps it when an explicit expiry date is set.

I propose that SessionBase always timestamp and sign session data. This would simplify session expiry handling. The signed_cookies backend would no longer need to perform its own timestamping and signing.

Attachments (0)

Change History (6)

comment:1 Changed 21 months ago by aaugustin

This refactoring seems necessary to enforce signed_cookies expiry when a non-default expiry date is set.

comment:2 Changed 21 months ago by aaugustin

https://github.com/django/django/pull/453 shares some ideas with this ticket.

comment:3 Changed 21 months ago by aaugustin

  • Triage Stage changed from Unreviewed to Design decision needed

comment:4 Changed 21 months ago by Aymeric Augustin <aymeric.augustin@…>

In 88393357a6839fb4ce57793523bc25b17dc188a4:

[1.5.x] Marked cookies-based session expiry test as an expected failure.

Refs #19201.

Backport of 58337b3 from master.

comment:5 Changed 21 months ago by Aymeric Augustin <aymeric.augustin@…>

In 58337b32236eb57d82bf62ed077add3ec69e37f2:

Marked cookies-based session expiry test as an expected failure.

Refs #19201.

comment:6 Changed 16 months ago by aaugustin

  • Triage Stage changed from Design decision needed to Accepted

A helpful reference on session expiry implementation: https://code.djangoproject.com/ticket/18194#comment:12

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from nobody to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.