Opened 9 years ago

Closed 9 years ago

#2133 closed defect (fixed)

[patch] Invalid session cookies shouldn't cause fatal errors

Reported by: greg-django@… Owned by: adrian
Component: Core (Other) Version: master
Severity: normal Keywords: session, security, cookie
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:

  1. The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
  2. Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).

I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior.

Attachments (1)

session.diff (3.1 KB) - added by greg-django@… 9 years ago.
patch for SVN trunk

Download all attachments as: .zip

Change History (5)

Changed 9 years ago by greg-django@…

patch for SVN trunk

comment:1 Changed 9 years ago by anonymous

  • Summary changed from Invalid session cookies shouldn't cause fatal errors to [patch] Invalid session cookies shouldn't cause fatal errors

comment:2 Changed 9 years ago by Simon G. <dev@…>

  • Triage Stage changed from Unreviewed to Ready for checkin

I think the silent-ignore behavior is the best & safest solution, and probably does not require the addition to settings?

comment:3 Changed 9 years ago by adrian

I agree that silent-ignore behavior is best and safest. I'll update the patch and check it in.

comment:4 Changed 9 years ago by adrian

  • Resolution set to fixed
  • Status changed from new to closed

(In [4423]) Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, greg-django@…

Note: See TracTickets for help on using tickets.
Back to Top