[Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
+
   Reporter:  Anthony King  |  Owner:  nobody
   Type:  Cleanup/optimization  | Status:  new
  Component:  contrib.messages  |Version:  master
   Severity:  Normal|   Keywords:
   Triage Stage:  Unreviewed|  Has patch:  0
Needs documentation:  0 |Needs tests:  0
Patch needs improvement:  0 |  Easy pickings:  0
  UI/UX:  0 |
+
 This relates to `django.contrib.messages.storage.cookie`.

 In its current state, the Cookie store implements it's own signing method
 (called `_hash`).
 This uses a it's own approach to verifying the data inside the cookie.

 using `set_signed_cookie` removes duplicate code, as well as allows the
 message cookie to use custom signing backends.


 There is, perhaps, another change that can be made, which is to use
 `signing.dumps` to take advantage of the zlib compression. However this
 has potential to be a breaking change for people that read the JSON in the
 cookie, and may not yield better results in size.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/052.2a77a22e9f4a6f9483d9cb2c22e62bad%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  closed
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"831a05b1859f960dba0aff3ac46daa40ca70704e" 831a05b]:
 {{{
 #!CommitTicketReference repository=""
 revision="831a05b1859f960dba0aff3ac46daa40ca70704e"
 Refs #27604 -- Removed support for the pre-Django 3.1 encoding format in
 CookieStorage.

 Per deprecation timeline.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.ff405328c72c93a2239a2cbf51a3ef45%40djangoproject.com.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
--+
 Reporter:  Anthony King  |Owner:  nobody
 Type:  Cleanup/optimization  |   Status:  new
Component:  contrib.messages  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by Tim Graham):

 * stage:  Unreviewed => Accepted


Comment:

 I haven't investigated but since `contrib.messages` was added in 2009 and
 `set_signed_cookie()` in 2011, there probably wasn't an intentional change
 not to use it. I guess a deprecation period that offers backwards-
 compatibility for the old format will be needed.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.c70b88c83101e481215d7f7411a56d95%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  reficul31
 Type:   |   Status:  assigned
  Cleanup/optimization   |
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by reficul31):

 * status:  new => assigned
 * owner:  nobody => reficul31


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.05690e98b599933829582c2352fb3df8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  reficul31
 Type:   |   Status:  assigned
  Cleanup/optimization   |
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by reficul31):

 Instead of using set_signed_cookie method we could probably replace the
 _hash method by ```signing.get_cookie_signer(salt=key +
 salt).sign(messages)```?

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.5a45e30073e4f39ac9c0686a71aebc0e%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
--+
 Reporter:  Anthony King  |Owner:  (none)
 Type:  Cleanup/optimization  |   Status:  new
Component:  contrib.messages  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by reficul31):

 * owner:  reficul31 => (none)
 * status:  assigned => new


--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.f8c2118673c9b293b6faced8ce8d0047%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
--+
 Reporter:  Anthony King  |Owner:  craiga
 Type:  Cleanup/optimization  |   Status:  assigned
Component:  contrib.messages  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by craiga):

 * status:  new => assigned
 * owner:  (none) => craiga


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.92eaf6d1004ad6019e621ad844bf02e2%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Craig Anderson):

 What should happen to cookies signed with the existing hashing method?

 I haven't tested this (yet), but it looks like messages stored with the
 old hashing method will be silently ignored.

 We could:
 1. accept that messages from Django < 2.3 (?) are ignored;
 2. add the existing `_hash` implementation into `_decode` for these legacy
 messages; or
 3. just close this ticket.

 I'll go ahead and implement option 2 as it's the safest.

 However, as I've never left messages in storage for more than one or two
 request-response cycles, option 1 strikes me as reasonable and much
 cleaner.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.158a049ff9328ffe1b356e9d456a690d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by felixxm):

 * has_patch:  0 => 1


Comment:

 [https://github.com/django/django/pull/11220 PR]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.8b20ade3a5ceb58de6b6cdbf182d8d9c%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Florian Apolloner):

 >  However, as I've never left messages in storage for more than one or
 two request-response cycles, option 1 strikes me as reasonable and much
 cleaner.

 this is true, but even "just for one request" can be an issue for large
 sites. The safest bet is option two where we keep the dual decoding for a
 whole LTS period and then drop it. Given that 2.2 is already out and we
 cannot really safely introduce any new changes there I think we should
 merge option 2 into master and remove the second codepath in 4.2. This
 would mean that people upgrading from 2.2 (LTS) -> 3.2 (LTS) -> 4.2 (LTS)
 would not have (many) issues unless they directly jump from 2.2 -> 4.2

 We'd need a proper mention in the relevant release notes.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.659df346810631cd0f982d9bbc30147a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Florian Apolloner):

 Btw looking through the comments on this ticket, is there any reason not
 to use `set_signed_cookie()`? Sure the changes will be bigger, but if we
 do a change like this we can just as well make it "nice"

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.a330bd78918abffdb747861bb8addbc3%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by felixxm):

 * needs_better_patch:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.6dcd326877c18fcd6fe8b4d9ddcc4200%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Claude Paroz):

 * needs_better_patch:  1 => 0


Comment:

 I created a [https://github.com/django/django/pull/12397 new PR] where the
 storage is using the `Signer` sign and unsign methods.

 About using `set_signed_cookie`, I don't think it makes sense, because
 `CookieStorage` has to calculate the length of the signed encoded messages
 before setting the cookie value. So when we are setting the real cookie
 value, we already have the signed value at hand. Using `set_signed_cookie`
 instead of `set_cookie` would simply re-compute needlessly the messages,
 and would also need refetching a new signer when we have already one at
 hand (as we need it for the length stuff).

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.74945d846b36908301753173ca7f2c74%40djangoproject.com.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by felixxm):

 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.743d85b87d28cdda76e5d8ba18a7da71%40djangoproject.com.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  assigned
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"bcc9fa25285f50fa5074fc43c7114d61bb79" bcc9fa25]:
 {{{
 #!CommitTicketReference repository=""
 revision="bcc9fa25285f50fa5074fc43c7114d61bb79"
 Refs #27604 -- Added CookieStorage.key_salt to allow customization.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.6e42a1d371a5d0204b532df3959af8c8%40djangoproject.com.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  closed
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"8ae84156d62bfc24d71e65cfe4d5cb84b9b1bd91" 8ae8415]:
 {{{
 #!CommitTicketReference repository=""
 revision="8ae84156d62bfc24d71e65cfe4d5cb84b9b1bd91"
 Fixed #27604 -- Used the cookie signer to sign message cookies.

 Co-authored-by: Craig Anderson 
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.1d44a1fd4702e8309dd3802258ba03c3%40djangoproject.com.

Re: [Django] #27604: Use set_signed_cookie for contrib.messages Cookie storage

[Django]

#27604: Use set_signed_cookie for contrib.messages Cookie storage
-+-
 Reporter:  Anthony King |Owner:  Craig
 Type:   |  Anderson
  Cleanup/optimization   |   Status:  closed
Component:  contrib.messages |  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"75daea2fc24da1c987d4fd979adb31a2c5a29d22" 75daea2]:
 {{{
 #!CommitTicketReference repository=""
 revision="75daea2fc24da1c987d4fd979adb31a2c5a29d22"
 Refs #27604 -- Fixed loading of legacy cookie hashes when
 CookieStorage.key_salt is changed.

 This partially reverts bcc9fa25285f50fa5074fc43c7114d61bb79 to
 not break legacy hashes when key_salt is actually changed.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.9d2223088c39ed4bb72d5d0191a00540%40djangoproject.com.