On Jul 8, 5:27 am, Malcolm Tredinnick <[EMAIL PROTECTED]> wrote: > Increasing > some value from 32 bits to 64 bits is only changing some probabilities; > it's not actually solving the problem, just moving the goalposts to make > it harder to score an own goal. The rest of the conversation should > proceed on the assumption that the bug about creating unique database > entries will be fixed first.
Agreed that the uniqueness bug takes precedence. But the uniform 63- bit randomness patch is also important. Once collisions happen, their handling is quite expensive, so they should be better avoided in the first place. Moreover, 63 bits are already used on 64-bit machines and I don't see any reason not to use it on 32-bit machines as well. --- I would like to get some feedback on the reliable session clearing problem next, http://code.djangoproject.com/ticket/7515 . Clearing session data in one step is a trivial addition: def clear(self): self._session.clear() self.modified = True Though better than manually erasing all session keys in a loop, this is not robust enough. Consider this scenario: * session with key X is created for user A * A "logs out" and session data is cleared, session key X will not be reset * session db backend tries remove the empty session, but database connection fails, exception is raised * cookie with old session key X remains in browser * user B accesses the site using the same browser, cookie with key X will be sent to the site * database has come online, session exists and A's sensitive information will be happily served to B Thus, reliable session clearing should assure that the session cookie is removed or updated with a different session key even when exceptions occur in the session storage backend. No hurry in replying, but discussing this is important in my humble opinion. Best, Mart Sõmermaa --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
