Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

Mon, 06 Mar 2023 00:00:44 -0800 

#34384: SECRET_KEY_FALLBACKS is not used for sessions
---------------------------------+------------------------------------
     Reporter:  Eric Zarowny     |                    Owner:  nobody
         Type:  Bug              |                   Status:  new
    Component:  contrib.auth     |                  Version:  4.1
     Severity:  Release blocker  |               Resolution:
     Keywords:                   |             Triage Stage:  Accepted
    Has patch:  0                |      Needs documentation:  0
  Needs tests:  0                |  Patch needs improvement:  0
Easy pickings:  0                |                    UI/UX:  0
---------------------------------+------------------------------------
Changes (by Mariusz Felisiak):

 * cc: Carlton Gibson, Andreas Pelme, terrameijar (added)
 * severity:  Normal => Release blocker
 * stage:  Unreviewed => Accepted


Comment:

 Thanks for the report. Agreed, we should check fallback session hashes.

 Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

 > In particular for user sessions, using fallback keys in the
 `AuthenticationMiddleware`/`auth.get_user(request)` will keep existing
 `_auth_user_hash` values from before the rotation being seen as valid,
 which is nice during the rotation period, but without any upgrading of the
 `_auth_user_hash` values, when the rotation is finished and the fallback
 keys are removed, all of those sessions will essentially be invalidated
 again.
 >
 > So, I think possibly an additional need here is a way to upgrade the
 cookies when a fallback key is used? Or at least documentation calling out
 this drawback.
 > Edit: It's possible I'm conflating a cookie value and a session value,
 but either way I think the principle of what I wrote stands?

 As far as I'm aware, this is a new feature request not a bug in #30360, so
 we should discuss it separately. Maybe we could call
 `update_session_auth_hash()` when a fallback hash is valid 🤔

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34384#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b5efd142-e3808688-9a2a-4524-986c-daf4963168fd-000000%40eu-central-1.amazonses.com.

Reply via email to