Opened 18 years ago
Closed 18 years ago
#2133 closed defect (fixed)
[patch] Invalid session cookies shouldn't cause fatal errors
Reported by: | Owned by: | Adrian Holovaty | |
---|---|---|---|
Component: | Core (Other) | Version: | dev |
Severity: | normal | Keywords: | session, security, cookie |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:
- The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
- Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).
I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior.
Attachments (1)
Change History (5)
by , 18 years ago
Attachment: | session.diff added |
---|
comment:1 by , 18 years ago
Summary: | Invalid session cookies shouldn't cause fatal errors → [patch] Invalid session cookies shouldn't cause fatal errors |
---|
comment:2 by , 18 years ago
Triage Stage: | Unreviewed → Ready for checkin |
---|
I think the silent-ignore behavior is the best & safest solution, and probably does not require the addition to settings?
comment:3 by , 18 years ago
I agree that silent-ignore behavior is best and safest. I'll update the patch and check it in.
comment:4 by , 18 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
patch for SVN trunk