id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33475	Add a SESSION_KEY_LENGTH setting	jecarr	nobody	"I was reviewing how sessions were made and came across how the session key is [https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L142 at a fixed length of 32 characters]. I wondered if we could have a setting that changes this?

Rationale:
- [https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-length OWASP-recommended session ID length] which therefore might influence security auditors (although I do acknowledge their point about the minimum isn't an absolute pending other implementation factors).
- I also did follow the steps to [https://docs.djangoproject.com/en/4.0/topics/http/sessions/#extending-database-backed-session-engines extend the default Session management] and it resulted in a pointer table (a new table for my model extending Django's Session model, where it references the django_session table). I don't mind this but if all I wanted was to adjust the session key length, I think a setting would be more efficient than introducing a new DB-table.

Impact-on-codebase: Whether [https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L156 minimum] and [https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/base_session.py#L27 maximum] session-key-length checks need to be called anywhere else

Apologies if I've overlooked anything which results in a wontfix; thanks!"	New feature	closed	contrib.sessions	dev	Normal	wontfix	session	Florian Apolloner	Unreviewed	0	0	0	0	0	0