Opened 17 years ago

Closed 17 years ago

#5593 closed (fixed)

Missing DB sessions create a new session for every request

Reported by: nezroy <nezroy@…> Owned by: nobody
Component: contrib.sessions Version: dev
Severity: Keywords: session invalid stale duplicate clutter
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When using the DB SessionStore, it's possible to start getting a bunch of invalid sessions in the session table. This happens when an original session has been purged from the table, but a client still has the old, stale cookie with the original session ID. The load method will create a new session with a new id for security purposes when it tries to load this old session, but it does *not* update the actual cookie stored on the client. So the client continues to try and use the old session id, which keeps causing the load method to create new sessions with new IDs.

Attached is a simple patch that is the simplest solution I could think of, though I'm not familiar enough with session to understand potential ramifications. The load function is simply updated to set the "modified" property to True so that further processing in the response handler will send an updated version of the cookie to the client.

Attachments (1)

stale_sessionid.patch (437 bytes ) - added by nezroy <nezroy@…> 17 years ago.
Patch to force client update of sessionid cookie.

Download all attachments as: .zip

Change History (4)

by nezroy <nezroy@…>, 17 years ago

Attachment: stale_sessionid.patch added

Patch to force client update of sessionid cookie.

comment:1 by Simon G <dev@…>, 17 years ago

Triage Stage: UnreviewedReady for checkin

Hmm.. I'll push this to RFC as it's kind of important, and a one-liner. If core thinks there's a better way to do this, can they revert it?

comment:2 by Jacob, 17 years ago

Triage Stage: Ready for checkinAccepted

We need to look at this closer to know if this is the right approach.

comment:3 by Ramiro Morales, 17 years ago

Resolution: fixed
Status: newclosed

This has been fixed on [7001] with a similar but more comprehensive patch (it laso fixes the problemn on the file-based session backend engine). See discussion at http://groups.google.com/group/django-users/browse_thread/thread/f7d7f737a5a76fa4?hl=en

Note: See TracTickets for help on using tickets.
Back to Top