[patch] Invalid session cookies shouldn't cause fatal errors
|Reported by:||Owned by:||Adrian Holovaty|
|Severity:||normal||Keywords:||session, security, cookie|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:
- The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
- Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).
I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior.
Change History (5)
comment:1 Changed 11 years ago by
|Summary:||Invalid session cookies shouldn't cause fatal errors → [patch] Invalid session cookies shouldn't cause fatal errors|