[Django] #33475: Add a SESSION_KEY_LENGTH setting

Sun, 30 Jan 2022 21:23:36 -0800 

#33475: Add a SESSION_KEY_LENGTH setting
--------------------------------------------+-------------------------
               Reporter:  jecarr            |          Owner:  nobody
                   Type:  New feature       |         Status:  new
              Component:  contrib.sessions  |        Version:  4.0
               Severity:  Normal            |       Keywords:  session
           Triage Stage:  Unreviewed        |      Has patch:  0
    Needs documentation:  0                 |    Needs tests:  0
Patch needs improvement:  0                 |  Easy pickings:  0
                  UI/UX:  0                 |
--------------------------------------------+-------------------------
 I was reviewing how sessions were made and came across how the session key
 is
 
[https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L142
 at a fixed length of 32 characters]. I wondered if we could have a setting
 that changes this?

 Rationale:
 -
 
[https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
 #session-id-length OWASP-recommended session ID length] which therefore
 might influence security auditors (although I do acknowledge their point
 about the minimum isn't an absolute pending other implementation factors).
 - I also did follow the steps to
 [https://docs.djangoproject.com/en/4.0/topics/http/sessions/#extending-
 database-backed-session-engines extend the default Session management] and
 it resulted in a pointer table (a new table for my model extending
 Django's Session model, where it references the django_session table). I
 don't mind this but if all I wanted was to adjust the session key length,
 I think a setting would be more efficient than introducing a new DB-table.

 Impact-on-codebase: Whether
 
[https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L156
 minimum] and
 
[https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/base_session.py#L27
 maximum] session-key-length checks need to be called anywhere else

 Apologies if I've overlooked anything which results in a wontfix; thanks!

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33475>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/049.92625de96ef40404850bbcf54a19e399%40djangoproject.com.

Reply via email to