id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 3507 sessions race condition jimmy@… Adrian Holovaty "Regarding this piece of code in django/contrib/sessions/models.py: {{{ while 1: session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest() try: self.get(session_key=session_key) except self.model.DoesNotExist: break return session_key }}} There is a very very small chance that a race condition exists between finding a uniq session, and saving it; which would result in one user ending up with a session owned by someone else. I know the chance is very small, but I do worry about it. Maybe it would be possible to also include remote_addr into the to be hashed string? I also want to add that it would be nice to make a configuration option to make it impossible to use a session from another remote_addr. I might be to paranoid." closed Contrib apps dev worksforme sessions save tom@… Unreviewed 0 0 0 0 0 0