#14652: Sessions seem to be improperly using Pickle to hash a dictionary
----------------------------------------------+-----------------------------
Reporter: PaulM | Owner: nobody
Status: closed | Milestone: 1.3
Component: django.contrib.sessions | Version: 1.2
Resolution: invalid | Keywords:
Stage: Unreviewed | Has_patch: 0
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
----------------------------------------------+-----------------------------
Comment (by PaulM):
I'm not sure I see the distinction between using a pickle directly as a
unique hash vs. hashing it and using that. A differently ordered but valid
pickle of the same data will still produce a different MAC, and so fail
our check.
In the worst case scenario, people's sessions disappear. They're
relatively ephemeral in any case.
As Tim pointed out in the quote though, the pickle value (and hence the
MAC) may change across Python versions or even runs of Python. If we go to
the trouble of ensuring that old sessions don't become invalidated on
updating Django, it seems like those might also be circumstances we worry
about. If we were using `cpickle`, we would probably already have
encountered this problem.
I suppose at this point it's not a bug until someone actually encounters
difficulty with it. "Why are my sessions disappearing randomly" sounds
pretty painful to troubleshoot though.
--
Ticket URL: <http://code.djangoproject.com/ticket/14652#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
