id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
3507	sessions race condition	jimmy@…	Adrian Holovaty	"Regarding this piece of code in django/contrib/sessions/models.py:

{{{
        while 1:
            session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
            try:
                self.get(session_key=session_key)
            except self.model.DoesNotExist:
                break
        return session_key
}}}

There is a very very small chance that a race condition exists between finding a uniq session, and saving it; which would result in one user ending up with a session owned by someone else. I know the chance is very small, but I do worry about it. Maybe it would be possible to also include remote_addr into the to be hashed string?

I also want to add that it would be nice to make a configuration option to make it impossible to use a session from another remote_addr. I might be to paranoid."		closed	Contrib apps	dev		worksforme	sessions save	tom@…	Unreviewed	0	0	0	0	0	0