On Sat, May 28, 2011 at 4:00 AM, Jimmy <jimmy.don.k...@gmail.com> wrote: > Hi, > > I have following code to set self-defined session_key: > >>>> from django.contrib.sessions.backends.db import SessionStore >>>> from django.contrib.sessions.models import Session >>>> a = SessionStore(session_key="fwefwejfo3j20jf02jnfweojfeo") >>>> a.save() >>>> a.session_key > 'a6e020a64789b5644e923c85b80a1d0b' > > Why the session_key got changed after saved in DB? Where is my defined > session_key? >
This is not a bug, it is by design. The session app is protecting you from session fixation attacks. If you try to use a session with a specified key, and no session with that key exists, django will cycle the session key to avoid a user being caught by a session fixation attack, where a malicious user attempts to get a valid user to log in using a known session key, and then accesses their session. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.