id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19201	session data should always contain the expiry date	Aymeric Augustin	nobody	"Currently, session data only contains the expiry date when it has been explicitly set.

As a consequence, session backends are required to store the expiration date as metadata to determine if the session has or hasn't expired:
- the cache backend transmits the expiry age to the cache server
- the database backend store the expiry date next to the data
- the file backend doesn't store the expiry date at all (see #18194) — it can be rebuilt from the file's mtime but that sounds fragile
- the signed_cookies backend implements its own timestamping and signing

`SessionBase` already signs the session data (to prevent code execution attacks in case the pickled session data was compromised), and it timestamps it when an explicit expiry date is set.

I propose that `SessionBase` always timestamp and sign session data. This would [https://code.djangoproject.com/ticket/18194#comment:12 simplify session expiry handling]. The signed_cookies backend would no longer need to perform its own timestamping and signing."	Cleanup/optimization	new	contrib.sessions	dev	Normal			andreas@…	Accepted	0	0	0	0	0	0