Opened 2 years ago

Last modified 2 years ago

#27604 new Cleanup/optimization

Use set_signed_cookie for contrib.messages Cookie storage

Reported by: Anthony King Owned by:
Component: contrib.messages Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This relates to

In its current state, the Cookie store implements it's own signing method (called _hash).
This uses a it's own approach to verifying the data inside the cookie.

using set_signed_cookie removes duplicate code, as well as allows the message cookie to use custom signing backends.

There is, perhaps, another change that can be made, which is to use signing.dumps to take advantage of the zlib compression. However this has potential to be a breaking change for people that read the JSON in the cookie, and may not yield better results in size.

Change History (4)

comment:1 Changed 2 years ago by Tim Graham

Triage Stage: UnreviewedAccepted

I haven't investigated but since contrib.messages was added in 2009 and set_signed_cookie() in 2011, there probably wasn't an intentional change not to use it. I guess a deprecation period that offers backwards-compatibility for the old format will be needed.

comment:2 Changed 2 years ago by reficul31

Owner: changed from nobody to reficul31
Status: newassigned

comment:3 Changed 2 years ago by reficul31

Instead of using set_signed_cookie method we could probably replace the _hash method by signing.get_cookie_signer(salt=key + salt).sign(messages)?

comment:4 Changed 2 years ago by reficul31

Owner: reficul31 deleted
Status: assignednew
Note: See TracTickets for help on using tickets.
Back to Top