session middleware claims user tampered with session cookie

[Michael Soulier <msoulier@…>]

I am using the latest stable release of Django, 0.96, on CentOS Linux 4.6 with PostgreSQL postgresql-7.4.13-2.RHEL4.1.

I have had problems maintaining session persistence so I dropped some debug code into the session middleware, and found this:

INFO:django-teleworker:Session key is f26b6104bc3d7fa04311857265c3d3c5
session was in cache
failed to pull session from db, making new one
err = User tampered with session cookie.

django.contrib.sessions.models.Session.get_decoded is raising a SuspiciousOperation exception. It's not clear why.

>>> from django.contrib.sessions.models import Session
>>> q = Session.objects.all()
>>> for s in q:
...    print s.get_decoded()
...
Traceback (most recent call last):
  File "<console>", line 2, in ?
  File "/var/tmp/django-0.96.2-root/usr/lib/python2.3/site-packages/django/contrib/sessions/models.py", line 82, in get_decoded
SuspiciousOperation: User tampered with session cookie.

As things are I may have to remove this check to get things working. I looked in the trunk in SVN and this code doesn't seem any different.

[Michael Soulier <msoulier@…>]

tamper_check is a305745fe8814bc9d8c035287c6f6f67
DEBUG:django-teleworker:md5 output is 6d362166ae93f8326e90ef32a0b748ab

For some reason, the md5 sums aren't matching.

[Michael Soulier <msoulier@…>]

This seems relevant.

​http://code.djangoproject.com/wiki/ModPython

And this

​http://tjulo.blogspot.com/2007/03/problems-with-md5-and-modpython.html

[Michael Soulier <msoulier@…>]

I just patched the session middleware to use sha instead of md5, and it seems to be working.

[spage@…]

Adding self to cc

[Jacob]

I can't reproduce this on trunk. Please reopen if you have more details that help reproduce the problem.