Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#26503 closed Bug (fixed)

SessionStore nonexistent key example is outdated

Reported by: jmcbailey Owned by: Berker Peksag
Component: contrib.sessions Version: 1.8
Severity: Normal Keywords:
Cc: Carl Meyer, berker.peksag@… Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The documentation at https://docs.djangoproject.com/en/1.8/topics/http/sessions/#using-sessions-out-of-views has the following example:

from django.contrib.sessions.backends.db import SessionStore
s = SessionStore(session_key='no-such-session-here')
s.save()
s.session_key
'ff882814010ccbc3c870523934fee5a2'

However, when I run this with Django 1.8.12, s.session_key actually returns None.

The reason is that when the SessionStore instance is saved (with must_create=False, i.e. the default), it results in a call to self.load(), which looks for an existing Session object with the given session_key. This of course does not yet exist, so the session_key gets set to None - see https://github.com/django/django/blob/1.8.12/django/contrib/sessions/backends/db.py#L29

I don't know if this change in behaviour was intentional or not, but I didn't see any mention of it in the 1.7 or 1.8 release notes, and of course the fact that the behaviour is different to what's documented suggests it was not intentional. (I haven't checked the file's history, but it definitely did work as documented in Django 1.6.)

In any case it's a pretty minor issue, only affecting one unit test of mine, and was very easy to work around.

Change History (6)

comment:1 by Tim Graham, 9 years ago

Cc: Carl Meyer added
Summary: SessionStore is not behaving as documentedSessionStore nonexistent key example is outdated
Triage Stage: UnreviewedAccepted

The behavior changed in this security fix: 66d12d1ababa8f062857ee5eb43276493720bf16 and again in 3389c5ea229884a1943873fe7e7ffc2800cefc22 where the snippet now raises UpdateError.

I'm not sure if the example is demonstrating anything useful now. Maybe it could simply be removed?

comment:2 by Berker Peksag, 8 years ago

Cc: berker.peksag@… added
Has patch: set
Owner: changed from nobody to Berker Peksag
Status: newassigned

I agree that the example can be removed. I've opened a PR: https://github.com/django/django/pull/6676

comment:3 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 698c8df:

Fixed #26503 -- Removed an outdated example from session docs.

comment:4 by Tim Graham <timograham@…>, 8 years ago

In ccea4a4:

[1.10.x] Fixed #26503 -- Removed an outdated example from session docs.

Backport of 698c8dfc2a5c5865a8bb163c1ae70b75d53e6415 from master

comment:5 by Tim Graham <timograham@…>, 8 years ago

In 4dc1bf89:

[1.9.x] Fixed #26503 -- Removed an outdated example from session docs.

Backport of 698c8dfc2a5c5865a8bb163c1ae70b75d53e6415 from master

comment:6 by Tim Graham <timograham@…>, 8 years ago

In 42958488:

[1.8.x] Fixed #26503 -- Removed an outdated example from session docs.

Backport of 698c8dfc2a5c5865a8bb163c1ae70b75d53e6415 from master

Note: See TracTickets for help on using tickets.
Back to Top