[patch] Invalid session cookies shouldn't cause fatal errors

[greg-django@…]

It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:

1. The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
2. Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).

I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior.

[greg-django@…]

patch for SVN trunk

[Simon G. <dev@…>]

I think the silent-ignore behavior is the best & safest solution, and probably does not require the addition to settings?

[Adrian Holovaty]

I agree that silent-ignore behavior is best and safest. I'll update the patch and check it in.

[Adrian Holovaty]

(In [4423]) Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, greg-django@…