#18194: File-based session never expire
----------------------------------+------------------------------------
Reporter: ej | Owner: PaulM
Type: Bug | Status: new
Component: contrib.sessions | Version: 1.4
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------------+------------------------------------
Comment (by crodjer):
Linking this issue to my corresponding pull request over github:
https://github.com/django/django/pull/453
Replying to [comment:7 Elvard]:
> Is it necessary to sign session data for all backends? I would define it
for file-based sessions only. For example, signed-cookie backend cares
about signing itself. I don't see any advantage in signing database data
with TimestampSigner since expiration date is stored along with session
data.
This makes sense, considering each backend all of the others have
alternate ways of verifying expiry. Putting timed signer only in file
session seems more appropriate. It'll also save us from compatibility
issues for other backends.
Though in database backend the `exist` seems faulty. It doesn't check for
expiry there. But its out of scope of this ticket.
>
> Using modification time seems to me interesting (although simple signing
would be useful here), but both solutions (TimestampSigner and
modification time) have slight caveat: While in database backend we can
specify exact expiration date and check that it's < timezone.now(), here
we have modification date (or date of signing) and we check that it's <
timezone.now() - SESSION_COOKIE_AGE. It could be solved with setting
modification date (or date of signing) in future, but i'm not sure if it's
allowed for every file system.
I also think using file system might be unreliable.
>TimestampSigner unfortunatelly doesn't support change of time.
I am not sure if I get this point. As far as I know We can modify the time
for TimeStameSigner while unsigning. It'll verify based on the second
argument of `signer.unsign`:
{{{
signer.unsign(data, age)
}}}
We can have `settings.SESSION_COOKIE_AGE` in place of `age` parameter.
--
Ticket URL: <https://code.djangoproject.com/ticket/18194#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
