#18194: File-based session never expire ----------------------------------+------------------------------------ Reporter: ej | Owner: PaulM Type: Bug | Status: new Component: contrib.sessions | Version: 1.4 Severity: Release blocker | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 ----------------------------------+------------------------------------
Comment (by crodjer): Linking this issue to my corresponding pull request over github: https://github.com/django/django/pull/453 Replying to [comment:7 Elvard]: > Is it necessary to sign session data for all backends? I would define it for file-based sessions only. For example, signed-cookie backend cares about signing itself. I don't see any advantage in signing database data with TimestampSigner since expiration date is stored along with session data. This makes sense, considering each backend all of the others have alternate ways of verifying expiry. Putting timed signer only in file session seems more appropriate. It'll also save us from compatibility issues for other backends. Though in database backend the `exist` seems faulty. It doesn't check for expiry there. But its out of scope of this ticket. > > Using modification time seems to me interesting (although simple signing would be useful here), but both solutions (TimestampSigner and modification time) have slight caveat: While in database backend we can specify exact expiration date and check that it's < timezone.now(), here we have modification date (or date of signing) and we check that it's < timezone.now() - SESSION_COOKIE_AGE. It could be solved with setting modification date (or date of signing) in future, but i'm not sure if it's allowed for every file system. I also think using file system might be unreliable. >TimestampSigner unfortunatelly doesn't support change of time. I am not sure if I get this point. As far as I know We can modify the time for TimeStameSigner while unsigning. It'll verify based on the second argument of `signer.unsign`: {{{ signer.unsign(data, age) }}} We can have `settings.SESSION_COOKIE_AGE` in place of `age` parameter. -- Ticket URL: <https://code.djangoproject.com/ticket/18194#comment:8> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.