Re: [Django] #16199: Create a secure cookie-based session backend

Thu, 16 Jun 2011 16:24:17 -0700 

#16199: Create a secure cookie-based session backend
---------------------------------------+----------------------------------
               Reporter:  floguy       |          Owner:  nobody
                   Type:  New feature  |         Status:  new
              Milestone:               |      Component:  contrib.sessions
                Version:  SVN          |       Severity:  Normal
             Resolution:               |       Keywords:
           Triage Stage:  Accepted     |      Has patch:  1
    Needs documentation:  1            |    Needs tests:  0
Patch needs improvement:  1            |  Easy pickings:  0
                  UI/UX:  0            |
---------------------------------------+----------------------------------
Changes (by PaulM):

 * needs_better_patch:  0 => 1


Comment:

 I commented on #16182, but will go into more detail here. r16356 added 5
 digits of precision to the signed timestamp so that this cookie backend
 could pass the cookie rotation test. Adding these extra bits to our
 already limited cookie length isn't necessary, and the test should be
 modified to work with single-second precision for this backend.

 Unlike server-side session stores, when we rotate a cookie with this
 backend, we don't invalidate the previous one. In server side session
 stores, rotating a cookie should destroy access to the data server side,
 so we need to test that this rotation works immediately. In this backend,
 we can't invalidate previously signed cookies (other than letting them
 expire naturally). So requiring that setting a cookie then immediately
 rotating it produce a different cookie isn't meaningful.

 We can either skip the test entirely, wait for one second to pass before
 trying the rotate function, or do something excessively clever to modify
 the time in-place. I'm in favor of skipping the test and reverting r16356.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/16199#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to