Opened 11 years ago

Last modified 7 years ago

#19201 new Cleanup/optimization

session data should always contain the expiry date

Reported by: Aymeric Augustin Owned by: nobody
Component: contrib.sessions Version: dev
Severity: Normal Keywords:
Cc: andreas@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, session data only contains the expiry date when it has been explicitly set.

As a consequence, session backends are required to store the expiration date as metadata to determine if the session has or hasn't expired:

  • the cache backend transmits the expiry age to the cache server
  • the database backend store the expiry date next to the data
  • the file backend doesn't store the expiry date at all (see #18194) — it can be rebuilt from the file's mtime but that sounds fragile
  • the signed_cookies backend implements its own timestamping and signing

SessionBase already signs the session data (to prevent code execution attacks in case the pickled session data was compromised), and it timestamps it when an explicit expiry date is set.

I propose that SessionBase always timestamp and sign session data. This would simplify session expiry handling. The signed_cookies backend would no longer need to perform its own timestamping and signing.

Change History (7)

comment:1 by Aymeric Augustin, 11 years ago

This refactoring seems necessary to enforce signed_cookies expiry when a non-default expiry date is set.

comment:2 by Aymeric Augustin, 11 years ago

https://github.com/django/django/pull/453 shares some ideas with this ticket.

comment:3 by Aymeric Augustin, 11 years ago

Triage Stage: UnreviewedDesign decision needed

comment:4 by Aymeric Augustin <aymeric.augustin@…>, 11 years ago

In 88393357a6839fb4ce57793523bc25b17dc188a4:

[1.5.x] Marked cookies-based session expiry test as an expected failure.

Refs #19201.

Backport of 58337b3 from master.

comment:5 by Aymeric Augustin <aymeric.augustin@…>, 11 years ago

In 58337b32236eb57d82bf62ed077add3ec69e37f2:

Marked cookies-based session expiry test as an expected failure.

Refs #19201.

comment:6 by Aymeric Augustin, 11 years ago

Triage Stage: Design decision neededAccepted

A helpful reference on session expiry implementation: https://code.djangoproject.com/ticket/18194#comment:12

comment:7 by Andreas Pelme, 7 years ago

Cc: andreas@… added
Note: See TracTickets for help on using tickets.
Back to Top