> Why not write a "secure" session backend? (You would presumably
> also need to require signed cookies for the session.)
The cookies are already signed. Session data +
settings.SECRET_KEY is md5-digested and tampering raises an
exception. So in that sense the sessions are already secure.
Note that it is possible to create controlled collisions for md5,
thus session data *can* actually be tampered with, so I may end
up writing a version based on sha256 HMAC instead someday.
But as of now I can live with md5-based "signing".
Once Python 2.3/4 support will be dropped, we can start using
higher-grade hash algorithms from 2.5 hashlib throughout. But
this is offtopic for current discussion and will not happen in
the foreseeable future.
The relationship between user and session
-----------------------------------------
Associating some session data to logged-in users is a common use
case. That data needs to be deleted once the user logs out.
Currently sessions and users are separated (I haven't checked how
the user is saved in the session, I assume the user is actually
stored in the session under a specific key). This is very good
and should remain so, but doesn't cater for the use-case.
I propose we add a "data bucket" to the user object that can be
used for that purpose.
>>> u = authenticate(username=username, password=password)
>>> type(u.data)
<type 'dict'>
>>> u.data['foo'] = 'bar'
>>> u.save() # pickles the data dictionary and saves it in a text
# field
>>> u.data['foo']
'bar'
>>> logout(request)
>>> u.data
{}
It should be documented that all session data tied to a user
should be saved in that bucket. Sessions may be used for other
purposes or without django.contrib.auth, so they should
definitely remain separate from the user generally.
That would fix #6941.
I'm ready to implement this.
Clearing a session
------------------
Sessions should have a destroy() method that clears the keys and
removes the corresponding session object from the backend store.
>>> from django.contrib.sessions.backends.db import SessionStore
>>> from django.contrib.sessions.models import Session
>>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
>>> s['foo'] = 'bar'
>>> s['foo']
'bar'
>>> s.save()
>>> dbs = Session.objects.get(pk='2b1189a188b44ad18c35e113ac6ceead')
>>> dbs.foo
'bar'
>>> s.destroy()
>>> s['foo']
Traceback (most recent call last):
...
KeyError: 'foo'
>>> dbs = Session.objects.get(pk='2b1189a188b44ad18c35e113ac6ceead')
Traceback (most recent call last):
...
DoesNotExist: Session matching query does not exist.
After calling s.destroy(), s should be a valid session object that has
a new key.
I'm ready to implement this.
Please comment.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
