Options 2 and 4 from that list both involve database-level changes, and thus aren't feasible (our lack of schema migration tools being the biggest problem).
Of those, I'd go for option 3 as well. We definitely don't want to store the full hash in the session for obvious security reasons, but a small portion of the hash is probably enough to do the checking, be secure and provide a high degree of confidence that collisions would be unlikely. I'll leave it to PaulM or someone else better versed in hashing to comment on what the appropriate subset might be, or if that's just totally off base. Lastly, I'll add that it'd really be pushing it to get this into 1.4 at this point. I, personally, would be willing to allow it on the basis of it being a security concern, but we'd need to have a really solid patch for it in the next week or so to have time to review it, test it, etc. Once we release the beta it's definitely not making it into 1.4. All the best, - Gabriel -- You received this message because you are subscribed to the Google Groups "Django developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/2FvSlmAuVOIJ. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.