Opened 22 months ago

Last modified 21 months ago

#27604 new Cleanup/optimization

Use set_signed_cookie for contrib.messages Cookie storage

Reported by: Anthony King Owned by:
Component: contrib.messages Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This relates to

In its current state, the Cookie store implements it's own signing method (called _hash).
This uses a it's own approach to verifying the data inside the cookie.

using set_signed_cookie removes duplicate code, as well as allows the message cookie to use custom signing backends.

There is, perhaps, another change that can be made, which is to use signing.dumps to take advantage of the zlib compression. However this has potential to be a breaking change for people that read the JSON in the cookie, and may not yield better results in size.

Change History (4)

comment:1 Changed 22 months ago by Tim Graham

Triage Stage: UnreviewedAccepted

I haven't investigated but since contrib.messages was added in 2009 and set_signed_cookie() in 2011, there probably wasn't an intentional change not to use it. I guess a deprecation period that offers backwards-compatibility for the old format will be needed.

comment:2 Changed 22 months ago by reficul31

Owner: changed from nobody to reficul31
Status: newassigned

comment:3 Changed 21 months ago by reficul31

Instead of using set_signed_cookie method we could probably replace the _hash method by signing.get_cookie_signer(salt=key + salt).sign(messages)?

comment:4 Changed 21 months ago by reficul31

Owner: reficul31 deleted
Status: assignednew
Note: See TracTickets for help on using tickets.
Back to Top