Opened 19 years ago

Closed 18 years ago

#2133 closed defect (fixed)

[patch] Invalid session cookies shouldn't cause fatal errors

Reported by: greg-django@… Owned by: Adrian Holovaty
Component: Core (Other) Version: dev
Severity: normal Keywords: session, security, cookie
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:

  1. The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
  2. Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).

I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior.

Attachments (1)

session.diff (3.1 KB ) - added by greg-django@… 19 years ago.
patch for SVN trunk

Download all attachments as: .zip

Change History (5)

by greg-django@…, 19 years ago

Attachment: session.diff added

patch for SVN trunk

comment:1 by anonymous, 19 years ago

Summary: Invalid session cookies shouldn't cause fatal errors[patch] Invalid session cookies shouldn't cause fatal errors

comment:2 by Simon G. <dev@…>, 18 years ago

Triage Stage: UnreviewedReady for checkin

I think the silent-ignore behavior is the best & safest solution, and probably does not require the addition to settings?

comment:3 by Adrian Holovaty, 18 years ago

I agree that silent-ignore behavior is best and safest. I'll update the patch and check it in.

comment:4 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

(In [4423]) Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, greg-django@…

Note: See TracTickets for help on using tickets.
Back to Top