On Fri, May 18, 2012 at 10:51 AM, Tom Evans <tevans...@googlemail.com> wrote: > On Wed, May 16, 2012 at 4:38 PM, Aymeric Augustin > <aymeric.augus...@polytechnique.org> wrote: >> 2012/5/16 Tom Evans <tevans...@googlemail.com>: >>> So, is the session key being available part of the API, or is relying >>> on the session key existing incorrect? >> >> Hi Tom, >> >> Accessing the session key before saving the session is incorrect. >> > > Accessing the session key before saving the session is incorrect, but > there is nothing in the session API to determine if a session is > saved. > > Accessing the session key is a documented feature of sessions. > > I don't see a good way to support 1.3 and 1.4, or in 1.3 to work > around the bug that this fixes, without explicitly saving the session > object each time prior to accessing the session key, which is not a > particularly clever way of doing things. This API needs to be looked > at. >
Further to this, there is a potential race condition calling session.save() on a unsaved session using the DB backend. When the session key is generated, _get_new_session_key() is called, which generates a session key until one is found that doesn't exist in the backend store. save() then tries one time to store this session in the database. If two sessions are being saved simultaneously, and generate the same (unused) session id, then one of the session saves will fail. This behaviour contrasts with create(), which will keep cycling session ids until it manages to persist one in the backend. So to sum up: You can't look at session.session_key without the session having being saved. You can't determine whether a session has been saved or not. Saving a session has a race condition, failing with an IntegrityError in case of key collision. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.