id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31412	Database timing attack against sessions.	Brian May		"CVE-2019-16782 was assigned to Ruby Rack. Basically, an attacker, can conduct a timing attack by sending specially crafted session ids and timing how long it takes for the database to lookup the session. From this the attacker can guess valid session ids.

To me it looks like Django, by default, stores sessions on the database (using django.contrib.sessions.backends.db) in a very similar manner. Does this also mean it is vulnerable to the same timing attack?"	Bug	closed	contrib.sessions	3.0	Normal	wontfix		Simon Charette Florian Apolloner Paul McMillan	Unreviewed	0	0	0	0	0	0