SessionStore is missing a clear() or invalidate() method that will destroy the session. Is this intentional? If so, why? Cleaning a session is such a common requirement for session frameworks.
Looking through tickets, I found the following relevant to general session logic (in no particular order): http://code.djangoproject.com/ticket/5549#comment:5 http://code.djangoproject.com/ticket/2548 http://code.djangoproject.com/ticket/3304 http://code.djangoproject.com/ticket/1180 http://code.djangoproject.com/ticket/6791 http://code.djangoproject.com/ticket/6941 Some of them are interrelated, some of them pose security risks. Quoting #6941: [4:17pm] jacobkm: Also, there's the question of whether the session is tied to the browser or to the user -- we're a bit muddled there currently. We shouldn't be muddled on that :) .Perhaps a bit of refactoring needs to be done on the features and logic of sessions? Beaker (http:// beaker.groovie.org), referenced in #5549, looks like a sound base to compare Django session backend with (both feature- and logic-wise). What I personally need is a secure session framework that * has a well-defined relationship to request.user, preferably being cleanly separated from it, * will not be re-used under any circumstances (#6941) and is protected against key collisions (#1180), * supports concurrency (uses locking throughout as Beaker does, think mod_wsgi with threads), * can be cleared/destoyed, * supports controlling session lifetime (http:// code.djangoproject.com/ticket/2548#comment:8 describes the use case). Regards, Mart Sõmermaa --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
