id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
31842	django.core.signing.dumps() and loads() not backwards compatible	Markus Holtermann	Mariusz Felisiak	"In Django 3.1, the default algorithm for `django.core.signing.Signer` was changed from sha1 to sha256. That's good!

However, the `django.core.signing.dumps()` and `django.core.signing.loads()` functions don't expose the algorithm. I think, that that makes an upgrade from 3.0 to 3.1 impossible when one uses the `dumps()` function in a multi-node Django setup.

Let's say there are two servers. Both run an application with Django 3.0. and make use of `dumps()` and `loads()`. Then server 1 is upgraded to use Django 3.1. At this point, because of to the backwards compatibility parts in the decoding/signature validation, a token signed by server 2 can be loaded on server 1 and 2. However, a token signed by server 1 cannot be loaded on server 2.

This problem could be mitigated by exposing the algorithm in the `dumps()` method and setting it to `sha1`. Once all servers run Django 3.1, the algorithm could be changed to `sha256`."	Bug	closed	Core (Other)	3.1	Release blocker	fixed		אורי	Accepted	1	0	0	0	0	0