Code


Version 17 (modified by mrts, 6 years ago) (diff)

--

Part of DjangoSpecifications

Session framework improvements

The following tickets are related to sessions

Some of the tickets are interrelated, some of them pose security risks.

See also the discussion at http://groups.google.com/group/django-developers/browse_thread/thread/fbcfa88c997d1bb3 and http://groups.google.com/group/django-developers/browse_thread/thread/8cb4edee0db52197 .

Other projects to draw inspiration from: Beaker.

Proposal

The following is required from the session framework:

  • no session key collisions on creation (#1180)
  • there is a method for clearing session data (#7515)
  • session data is not shared between different users (#6941), session is cleared on logout; if user A was logged in when user B logins, session will be cleared on login as well (but not anonymous session data) -- depends on previous
  • DONE: supports controlling session lifetime (comment:ticket:2548:9 describes the use case)