> On 10 Nov 2018, at 13:00, ludovic coues <cou...@gmail.com> wrote:
>
> I don't see how this would work.
>
> For example the session. You take the user cookie. You try to validate with
> your secret key. That doesn't work because the current key is the new one.
>
> With a custom cookie backend, you could check if the old secret could
> validate the cookie. But you need to change your cookie backend to handle the
> case of multiple secret key. And all third party session backend need to
> update.
I propose that we make the low level django.core.signing aware of multiple
keys. Everything that is already using django.core.signing such as signed
cookies, sessions and password reset tokens would need *not* need to change.
Cheers,
Andreas
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/5ED0D5A2-AC77-4231-824C-2EDDD7F2A903%40pelme.se.
For more options, visit https://groups.google.com/d/optout.
