#25125: Add a check in the checks framework for colliding LANGUAGE_COOKIE_NAME &
SESSION_COOKIE_NAME
----------------------------------+------------------------------------
Reporter: kezabelle | Owner: kswiat
Type: New feature | Status: assigned
Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
----------------------------------+------------------------------------
Comment (by kezabelle):
I don't think worrying about third party apps is worth additional
complexity. They already have a generic way to ensure their cookie name
doesn't collide - write a check of their own and add it to their default
AppConfig. I appreciate this means that there's semi-duplicate code at the
3rd party end, but it means:
- they know it will be checked.
- they know which cookies '''could''' collide, given Django + their app
- their check is subsequently unlikely to change much, because Django only
ships N (3?) cookie names.
If collisions do happen downstream, users can open tickets there to try
and get them separately namespaced, or come back here and demand better.
Given the overall lack of reports about the possible problem, prior to my
noticing the settings notes, I'm not convinced the problem ''exists'' -
we're just introducing a check in Django to ensure it would always be
noticed if incorrect given the known variables. Better to have a check
which works now, and add some sort of hook down the road for third party
app authors, if the desire for such is presented.
To my mind, the check could go one of 2 ways:
- Stay as a session check (with the implication that it is about sessions
specifically) and make the warning say something like "session name cannot
be the same as language code name or csrf token name" and make the hint
say which one(s) it collided with.
- Stop being a session-oriented check, and emit an error for whichever
names collide (ie: if language code and csrf token names match, that
shouldn't be a "session check", because it's unrelated)
Addendum:
`CSRF_COOKIE_NAME` settings docs should probably have the same
parenthesised note the other cookies do, as I didn't pick that one up :)
--
Ticket URL: <https://code.djangoproject.com/ticket/25125#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/067.415a59f8a1d3da37e9d40f43251df84d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
