#19155: New session backend instance does not respect a session_key parameter.
-------------------------------------+-------------------------------------
Reporter: niwi | Owner: nobody
Type: Bug | Status: closed
Component: contrib.sessions | Version: 1.4
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Design
Has patch: 1 | decision needed
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by lrekucki):
* status: new => closed
* resolution: => invalid
* stage: Unreviewed => Design decision needed
Comment:
Judging by the comment on the test you modified:
{{{
#!python
def test_invalid_key(self):
# Submitting an invalid session key (either by guessing, or if
the db has
# removed the key) results in a new key being generated.
}}}
and [https://docs.djangoproject.com/en/dev/topics/http/sessions/#using-
sessions-out-of-views the docs]:
> In order to prevent session fixation attacks, sessions keys that
don't exist are regenerated.
it's certainly not a bug (because it works as documented and we test for
it), thus closing.
I don't see an obvious use case for creating sessions with explicit keys,
so if you decide to reopen this ticket as a feature request, please
describe yours in more detail.
--
Ticket URL: <https://code.djangoproject.com/ticket/19155#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
