#33475: Add a SESSION_KEY_LENGTH setting --------------------------------------------+------------------------- Reporter: jecarr | Owner: nobody Type: New feature | Status: new Component: contrib.sessions | Version: 4.0 Severity: Normal | Keywords: session Triage Stage: Unreviewed | Has patch: 0 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | --------------------------------------------+------------------------- I was reviewing how sessions were made and came across how the session key is [https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L142 at a fixed length of 32 characters]. I wondered if we could have a setting that changes this?
Rationale: - [https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html #session-id-length OWASP-recommended session ID length] which therefore might influence security auditors (although I do acknowledge their point about the minimum isn't an absolute pending other implementation factors). - I also did follow the steps to [https://docs.djangoproject.com/en/4.0/topics/http/sessions/#extending- database-backed-session-engines extend the default Session management] and it resulted in a pointer table (a new table for my model extending Django's Session model, where it references the django_session table). I don't mind this but if all I wanted was to adjust the session key length, I think a setting would be more efficient than introducing a new DB-table. Impact-on-codebase: Whether [https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L156 minimum] and [https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/base_session.py#L27 maximum] session-key-length checks need to be called anywhere else Apologies if I've overlooked anything which results in a wontfix; thanks! -- Ticket URL: <https://code.djangoproject.com/ticket/33475> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/049.92625de96ef40404850bbcf54a19e399%40djangoproject.com.