[Django] #22638: Form wizard may raise unreasonable exceptions in case of SECRET_KEY change

[Django]

#22638: Form wizard may raise unreasonable exceptions in case of SECRET_KEY 
change
-----------------------------------+--------------------
     Reporter:  erikr              |      Owner:  nobody
         Type:  Bug                |     Status:  new
    Component:  contrib.formtools  |    Version:  1.6
     Severity:  Normal             |   Keywords:
 Triage Stage:  Unreviewed         |  Has patch:  0
Easy pickings:  0                  |      UI/UX:  0
-----------------------------------+--------------------
 Our form wizard has two storage options: sessions and cookies, with
 `SessionWizardView` and `CookieWizardView`. To prevent manipulation, the
 cookies storage uses the signed cookies from `django.core.signing`. This
 creates a signature based on the `SECRET_KEY`. If the secret key is
 changed, `request.get_signed_cookie` will raise an exception, in which
 case the storage will raise `WizardViewCookieModified`, a subclass of
 `SuspiciousOperation`.

 The cookie is loaded very early in the rendering of a the form wizard
 view. This means that if a user starts a form wizard, and the secret key
 is changed, any requests to the wizard will result in an exception and
 likely a 500 error. The user can only recover from this by deleting the
 cookie or restarting the browser (it seems to only persist in the current
 session).

 It may appear sensible to raise a `SuspiciousOperation` for a possible
 cookie manipulation, but we currently don't do this in any other place,
 like sessions. Currently, user may suddenly get 500 errors for no clear
 reason, and the developer of the project has no ability to help them.
 Leaving this as is may also discourage people from rotating their secret
 key when needed.

 I suggest that in case of an invalid wizard cookie, we simply ignore the
 value and thereby return the user to the first step.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/22638>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/048.d78bb3d0169e3bf6c2b41e7969de0713%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.