Looking through blame, it looks like this hardcoded salt was added in 2010: https://github.com/django/django/commit/45c7f427ce830dd1b2f636fb9c244fda9201cadb#diff-3a6c11bbe36a0e6927f71ad8d669f0021897ba73768ee41073a318a12e11c3d1L85-L90
This actually changed from using the secret key as the salt, to the fixed string, whilst also changing the algorithm from MAC to HMAC. But I cannot see any discussion on why in the ticket: https://code.djangoproject.com/ticket/14445 . 🤷♂️ On Mon, Oct 3, 2022 at 8:43 AM Lokesh Sanapalli <s.lokesh1...@gmail.com> wrote: > Hi, > > I was going through the code and got a question. I saw that we are using > hard-coded string `django.contrib.sessions` as the key salt to encode > session data > <https://github.com/django/django/blob/main/django/contrib/sessions/backends/base.py#L64>. > Why not using the secret key? as the secret key is specific to environment > and project it serves as a good candidate. Is it because the session data > does not contain any sensitive info (it only contains user id and other > info) so that's why this decision is made? > > Thanks & Regards, > Lokesh Sanpalli > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/6c6544b7-a190-4198-9108-6c66fac213ebn%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/6c6544b7-a190-4198-9108-6c66fac213ebn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM1C6HxOVYrVL2XuBOhjWUb0EnThvzSAzocdKXrr%2BjkNEg%40mail.gmail.com.
