Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-08 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David
 |  Wobrock
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"ba1654cb54eccef3ba29e455cd5065aed84e1f90" ba1654cb]:
 {{{
 #!CommitTicketReference repository=""
 revision="ba1654cb54eccef3ba29e455cd5065aed84e1f90"
 [4.1.x] Fixed #34384 -- Fixed session validation when rotation secret
 keys.

 Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

 Thanks Eric Zarowny for the report.

 Backport of 2396933ca99c6bfb53bda9e53968760316646e01 from main
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186c0c91441-1e66cca7-49e2-4938-b159-6602d3b7e3db-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-08 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David
 |  Wobrock
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak ):

 In [changeset:"6937c921691746a85e2993406b46da0527b6f2ee" 6937c921]:
 {{{
 #!CommitTicketReference repository=""
 revision="6937c921691746a85e2993406b46da0527b6f2ee"
 [4.2.x] Fixed #34384 -- Fixed session validation when rotation secret
 keys.

 Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

 Thanks Eric Zarowny for the report.

 Backport of 2396933ca99c6bfb53bda9e53968760316646e01 from main
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186c0c8c7a7-fcef4e5e-2e05-4949-839e-470f57adf6c8-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-08 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David
 |  Wobrock
 Type:  Bug  |   Status:  closed
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"2396933ca99c6bfb53bda9e53968760316646e01" 2396933c]:
 {{{
 #!CommitTicketReference repository=""
 revision="2396933ca99c6bfb53bda9e53968760316646e01"
 Fixed #34384 -- Fixed session validation when rotation secret keys.

 Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

 Thanks Eric Zarowny for the report.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186c0c806e3-ed92b0fe-08cc-42a3-9ce8-fcf49b7396b0-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-08 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David
 |  Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_better_patch:  1 => 0
 * stage:  Accepted => Ready for checkin


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186c07a1f61-fce406b8-3cd7-4ab2-b739-5be7bc707d3a-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-07 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_better_patch:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186bd7195ad-67efb34b-4ef9-4416-a2fe-ec5f3701c9e5-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-06 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by David Wobrock):

 * needs_better_patch:  1 => 0
 * needs_docs:  1 => 0


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b816a4aa-bc64b3f4-8f9a-4f6f-86d1-927874632f92-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-06 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  1
  Needs tests:  0|  Patch needs improvement:  1
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Mariusz Felisiak):

 * needs_better_patch:  0 => 1
 * needs_docs:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b7e31eb6-b6d386ba-71c9-44c1-a42e-4362a76c3a6f-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-06 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Mariusz Felisiak):

 Replying to [comment:6 Florian Apolloner]:
 > Replying to [comment:4 Mariusz Felisiak]:
 > > Maybe we could call `update_session_auth_hash()` when a fallback hash
 is valid 🤔
 > Most likely yes, we don't want to pay the calculation overhead every
 request :)

 OK, so we can accept this as a part of the bugfix.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b7e16024-9bbfd664-34d6-4a05-82cf-6e4d1465fbe3-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-06 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Florian Apolloner):

 Replying to [comment:4 Mariusz Felisiak]:
 > Maybe we could call `update_session_auth_hash()` when a fallback hash is
 valid 🤔
 Most likely yes, we don't want to pay the calculation overhead every
 request :)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b7cbc3ca-e3d11585-4e0c-4953-9134-f817cf4e1083-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-06 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+-
 Reporter:  Eric Zarowny |Owner:  David Wobrock
 Type:  Bug  |   Status:  assigned
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by David Wobrock):

 * cc: David Wobrock (added)
 * owner:  nobody => David Wobrock
 * has_patch:  0 => 1
 * status:  new => assigned


Comment:

 [https://github.com/django/django/pull/16631 PR]

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b784db3c-5ca4e4f5-a6f3-46d6-aae4-cd6434a64da4-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-06 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
-+
 Reporter:  Eric Zarowny |Owner:  nobody
 Type:  Bug  |   Status:  new
Component:  contrib.auth |  Version:  4.1
 Severity:  Release blocker  |   Resolution:
 Keywords:   | Triage Stage:  Accepted
Has patch:  0|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+
Changes (by Mariusz Felisiak):

 * cc: Carlton Gibson, Andreas Pelme, terrameijar (added)
 * severity:  Normal => Release blocker
 * stage:  Unreviewed => Accepted


Comment:

 Thanks for the report. Agreed, we should check fallback session hashes.

 Bug in 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7.

 > In particular for user sessions, using fallback keys in the
 `AuthenticationMiddleware`/`auth.get_user(request)` will keep existing
 `_auth_user_hash` values from before the rotation being seen as valid,
 which is nice during the rotation period, but without any upgrading of the
 `_auth_user_hash` values, when the rotation is finished and the fallback
 keys are removed, all of those sessions will essentially be invalidated
 again.
 >
 > So, I think possibly an additional need here is a way to upgrade the
 cookies when a fallback key is used? Or at least documentation calling out
 this drawback.
 > Edit: It's possible I'm conflating a cookie value and a session value,
 but either way I think the principle of what I wrote stands?

 As far as I'm aware, this is a new feature request not a bug in #30360, so
 we should discuss it separately. Maybe we could call
 `update_session_auth_hash()` when a fallback hash is valid 🤔

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186b5efd142-e3808688-9a2a-4524-986c-daf4963168fd-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-03 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
--+--
 Reporter:  Eric Zarowny  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  4.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by Joey Lange):

 * cc: Joey Lange (added)


Comment:

 Hi! I'm a colleague of Eric's, and we were discussing some of the
 ramifications of fixing this issue and I thought I'd write them here for
 posterity.

 In particular for user sessions, using fallback keys in the
 `AuthenticationMiddleware`/`auth.get_user(request)` will keep existing
 `_auth_user_hash` values from before the rotation being seen as valid,
 which is nice during the rotation period, but without any ''upgrading'' of
 the `_auth_user_hash` values, when the rotation is finished and the
 fallback keys are removed, all of those sessions will essentially be
 invalidated again.

 So, I think possibly an additional need here is a way to upgrade the
 cookies when a fallback key is used? Or at least documentation calling out
 this drawback.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186a92db758-032e7ca0-db31-4903-b114-de44c06c0f9e-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-03 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
--+--
 Reporter:  Eric Zarowny  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  4.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by Mariusz Felisiak):

 * cc: Florian Apolloner (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186a9276ad0-10cfc229-33e6-4cf7-a539-d23cb4009910-00%40eu-central-1.amazonses.com.

Re: [Django] #34384: SECRET_KEY_FALLBACKS is not used for sessions

2023-03-03 Thread Django 
#34384: SECRET_KEY_FALLBACKS is not used for sessions
--+--
 Reporter:  Eric Zarowny  |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  4.1
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+--
Changes (by Timothy Schilling):

 * cc: Timothy Schilling (added)


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070186a7e7abba-819c98a2-98ca-4d4e-95d9-25ca25002b88-00%40eu-central-1.amazonses.com.