I'm new to Django and not quite understand your explanation. How can I create a specific session_key, and access to the session by that key? Any risk that I have if I expose the session_key to the outside?
Thank you. Best regards, Li Jiaming On May 31, 7:47 pm, Tom Evans <tevans...@googlemail.com> wrote: > On Sat, May 28, 2011 at 4:00 AM, Jimmy <jimmy.don.k...@gmail.com> wrote: > > Hi, > > > I have following code to set self-definedsession_key: > > >>>> from django.contrib.sessions.backends.db import SessionStore > >>>> from django.contrib.sessions.models import Session > >>>> a = SessionStore(session_key="fwefwejfo3j20jf02jnfweojfeo") > >>>> a.save() > >>>> a.session_key > > 'a6e020a64789b5644e923c85b80a1d0b' > > > Why thesession_keygot changed after saved in DB? Where is my defined > >session_key? > > This is not a bug, it is by design. The session app is protecting you > from session fixation attacks. > > If you try to use a session with a specified key, and no session with > that key exists, django will cycle the session key to avoid a user > being caught by a session fixation attack, where a malicious user > attempts to get a valid user to log in using a known session key, and > then accesses their session. > > Cheers > > Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
