I'd like to get some feedback for the following major tickets regarding sessions, all of which are in scope for 1.0.
1) Session key collisions: http://code.djangoproject.com/ticket/1180 Due to the birthday paradox, sqrt(n) is roughly the number you need to have a 50% collision chance when picking items at random from an inexhaustible set of n items. (0, sys.maxint - 1) is currently the random range. On 32-bit platforms the collision bound is thus quite low as sqrt(2^31) is about 46 000 keys. Although get_or_create() is used to guard against collisions, they can still occur in threaded environments that have millions of sessions in session store (multiple threads enter get_or_create(), collision probability is very high when the number of stored sessions is, say, 10 times 46 000). This has been reported by at least one user. There's no problem on 64-bit platforms as the collision bound is sqrt(2^63) ~ 3,000,000,000. Proposal: use 63 bits of randomness regardless of architecture. (Trivial) patch attached to #1180. According to reports, this fixes the problem on 32-bit systems. See analysis at http://code.djangoproject.com/ticket/1180#comment:26 2) Reliable session clearing: http://code.djangoproject.com/ticket/7515 Clearing session data is a very common use case. Currently, the only way to do it is to manually erase session keys in a loop. The patch attached to #7515 fixes that by clearing the underlying dictionary in one step. However, it is not exception-safe, see problem statement at http://code.djangoproject.com/ticket/7515#comment:6 . The right way to solve this should be discussed further. 3) Clear session on logout: http://code.djangoproject.com/ticket/6941 Currently sessions are not related to users. As discussed before, one- way relation is useful, i.e. users are related to sessions and sessions are cleared if they logout or if they login and a different user was logged in previously. This depends on #7515. --- There are also two less acute tickets, http://code.djangoproject.com/ticket/6984 and http://code.djangoproject.com/ticket/6791 . IMHO they are in scope for 1.0 as well. After resolving these issues, the session framework should be ready for 1.0 feature freeze. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
