id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
2133	[patch] Invalid session cookies shouldn't cause fatal errors	greg-django@…	Adrian Holovaty	"It seems a little harsh to halt processing of a request whenver the client's session cookie doesn't match the app's SECRET_KEY properly. I ran into this issue because I started development on a new project based on a previous one, and then remembered that I needed to make a new SECRET_KEY. I couldn't use my app at all, until I manually deleted the cookie from every browser I had been using. I suggest that when the server sees an invalid cookie, it should just delete the key and the session cache, because one of two things is probably going on:

 1. The site admin legitimately changed the secret key (and users shouldn't be impacted more than necessary), or
 1. Someone is trying to hack the site (and then, although it's not a big deal, we don't owe them the favor of explaining the nature of the error to them).

I suggest perhaps adding a variable in settings.py, just in case some folks like the old behavior."	defect	closed	Core (Other)	dev	normal	fixed	session, security, cookie		Ready for checkin	1	0	0	0	0	0