#19324: invalid session keys cause unnecessary empty records in django_session
table
----------------------------------+--------------------
Reporter: liangrubo@… | Owner: nobody
Type: Bug | Status: new
Component: contrib.sessions | Version: 1.4
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+--------------------
db session store calls self.create when no record is found for the session
key, which causes an empty record inserted. Is this necessary? This gives
chance to user to fill the session table with empty records by sending
invalid session keys.
is it more appropriate to set session_key to be None in this case?
current implementation:
{{{
def load(self):
try:
s = Session.objects.get(
session_key=self.session_key,
expire_date__gt=timezone.now()
)
return self.decode(s.session_data)
except (Session.DoesNotExist, SuspiciousOperation):
self.create()
return {}
}}}
suggested implementation:
{{{
def load(self):
try:
s = Session.objects.get(
session_key=self.session_key,
expire_date__gt=timezone.now()
)
return self.decode(s.session_data)
except (Session.DoesNotExist, SuspiciousOperation):
self.session_key = None
return {}
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/19324>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.
