id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19324	invalid session keys cause unnecessary empty records in django_session table	liangrubo@…	nobody	"db session store calls self.create when no record is found for the session key, which causes an empty record inserted. Is this necessary? This gives chance to user to fill the session table with empty records by sending invalid session keys.

is it more appropriate to set session_key to be None in this case?

current implementation:
{{{
    def load(self):
        try:
            s = Session.objects.get(
                session_key=self.session_key,
                expire_date__gt=timezone.now()
            )
            return self.decode(s.session_data)
        except (Session.DoesNotExist, SuspiciousOperation):
            self.create()
            return {}
}}}

suggested implementation:
{{{
    def load(self):
        try:
            s = Session.objects.get(
                session_key=self.session_key,
                expire_date__gt=timezone.now()
            )
            return self.decode(s.session_data)
        except (Session.DoesNotExist, SuspiciousOperation):
            self.session_key = None
            return {}
}}}"	Bug	closed	contrib.sessions	1.4	Normal	fixed			Accepted	0	0	0	0	0	0