Opened 13 years ago

Closed 12 years ago

#2133 closed defect (fixed)

[patch] Invalid session cookies shouldn't cause fatal errors

Reported by: greg-django@… Owned by: Adrian Holovaty
Component: Core (Other) Version: master
Severity: normal Keywords: session, security, cookie
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:

  1. The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
  2. Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).

I suggest perhaps adding a variable in, just in case some folks like the old behavior.

Attachments (1)

session.diff (3.1 KB) - added by greg-django@… 13 years ago.
patch for SVN trunk

Download all attachments as: .zip

Change History (5)

Changed 13 years ago by greg-django@…

Attachment: session.diff added

patch for SVN trunk

comment:1 Changed 13 years ago by anonymous

Summary: Invalid session cookies shouldn't cause fatal errors[patch] Invalid session cookies shouldn't cause fatal errors

comment:2 Changed 13 years ago by Simon G. <dev@…>

Triage Stage: UnreviewedReady for checkin

I think the silent-ignore behavior is the best & safest solution, and probably does not require the addition to settings?

comment:3 Changed 12 years ago by Adrian Holovaty

I agree that silent-ignore behavior is best and safest. I'll update the patch and check it in.

comment:4 Changed 12 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [4423]) Fixed #2133 -- Invalid session cookie no longer causes fatal error. Thanks, greg-django@…

Note: See TracTickets for help on using tickets.
Back to Top