id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24915	Stricter validation on session key	Sasha Romijn	David Bannon	"Recently we had a vulnerability where session keys were set to empty strings: https://www.djangoproject.com/weblog/2015/may/20/security-release/

I can't really imagine any case where setting empty strings as session keys is a sensible thing to do.   I therefore think we should add some basic validation on the key. Perhaps we should have a minimum length of 5-8 characters, because it would be just as problematic if it were only one or two characters. This doesn't make it impossible to have weak session keys, but it is a very basic hardening that would protect us from such a bug in the future.

Without having looked at the code, my first idea is that this belongs in the session backends somewhere. This breaks backwards compatibility, but given the rationale I think a mention in the release notes is sufficient."	Cleanup/optimization	closed	contrib.sessions	1.8	Normal	fixed			Ready for checkin	1	0	0	0	0	0