#19324: invalid session keys cause unnecessary empty records in django_session
table
-------------------------------------+-------------------------------------
Reporter: liangrubo@… | Owner: nobody
Type: Bug | Status: new
Component: contrib.sessions | Version: 1.4
Severity: Normal | Resolution:
Keywords: | Triage Stage: Design
Has patch: 0 | decision needed
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by aaugustin):
* needs_better_patch: => 0
* stage: Unreviewed => Design decision needed
* needs_tests: => 0
* needs_docs: => 0
Comment:
You probably meant: `self._session_key = None`.
I don't immediately see how this could allow session fixation attacks —
but that doesn't prove anything :)
As is, this change causes two test failures:
{{{
Creating test database for alias 'default'...
Creating test database for alias 'other'...
........................................................................................x................................................F.............................F..........................................
======================================================================
FAIL: test_save (django.contrib.sessions.tests.DatabaseSessionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File
"/Users/aaugustin/Documents/dev/django/django/contrib/sessions/tests.py",
line 143, in test_save
self.assertTrue(self.session.exists(self.session.session_key))
AssertionError: False is not true
======================================================================
FAIL: test_save
(django.contrib.sessions.tests.DatabaseSessionWithTimeZoneTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File
"/Users/aaugustin/Documents/dev/django/django/contrib/sessions/tests.py",
line 143, in test_save
self.assertTrue(self.session.exists(self.session.session_key))
AssertionError: False is not true
----------------------------------------------------------------------
Ran 210 tests in 0.353s
FAILED (failures=2, expected failures=1)
Destroying test database for alias 'default'...
Destroying test database for alias 'other'...
}}}
This could probably be resolved in `save()`, though.
----
In fact, this change would cause `save()` to be called instead of
`create()`. Currently the roles of these two functions overlap: `save()`
even has a `must_create` argument! See also #18344.
To sum up, the behavior described exists, but it has a very low impact,
and even with the proposed change it's easy to cause the cache to fill up.
I suspect this ticket should be closed in favor of a ticket describing a
refactoring of the sessions API to eliminate the redundancy between
`save()` and `create()`.
--
Ticket URL: <https://code.djangoproject.com/ticket/19324#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit https://groups.google.com/groups/opt_out.