Hi all, Recently, I have been working on some patches for contrib.sessions. These include server side sessions expiry check (#18194) and some other trivial changes. These changes are in the pull request [#78][pull-78]
The expiry checks is be done in the base backend, i.e. inherited by every backend, utilizing the timed signer from signing framework. This would mean that only session data which was signed within a duration of `settings.SESSION_COOKIE_AGE` will be valid. The format in which session data is stored is changed with this, so existing sessions are invalidated and reset. To prevent loss of existing sessions, I have provided a compatibility setting which when set to true, will run the legacy decoding mechanism on a failed session decode with new one. This does make the system susceptible to all attacks possible with the previous mechanism. I have moved the session cleanup command logic to individual backend. Cleanup for sessions data will be done on the basis of current backend setting, instead of just for the database backend. Also, the session key character set is now `a-z0-9`. -- Rohan [pull-78]: https://github.com/django/django/pull/78 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.