Session framework improvements - ticket 3304

[Rodolfo]

About session in Django: http://code.djangoproject.com/wiki/DjangoSpecifications/Contrib/Sessions

Why ticket 3304 (http://code.djangoproject.com/ticket/3304) is "new"?
All propounded patches are bad? This can protect from session hijack
(http://en.wikipedia.org/wiki/Session_hijacking) using XSS (Cross Site
Scripting).

Tks!

[Russell Keith-Magee]

The discussion on the ticket explains the current situation - in
particular, comment 11 from Jacob:

http://code.djangoproject.com/ticket/3304#comment:11

Yours,
Russ Magee %-)

[Rodolfo Stangherlin]

Ok, but SimpleCookie in Python 2.6 supports it, then a Python patch is
unnecessary.

[Michael Radziej]

Hmm, the comment is out of date since there's now a newer patch that does
not require ugly hacks. On the backside, it means that the http-only
settings is only effective with python2.6.

Michael

--
noris network AG - Deutschherrnstraße 15-19 - D-90429 Nürnberg -
Tel +49-911-9352-0 - Fax +49-911-9352-100
http://www.noris.de - The IT-Outsourcing Company

Vorstand: Ingo Kraupa (Vorsitzender), Joachim Astel, Hansjochen Klenk -
Vorsitzender des Aufsichtsrats: Stefan Schnabel - AG Nürnberg HRB 17689

[Alex Gaynor]

A patch that only works on Python 2.6 will, unequivocally, not be accepted.  Django maintains identaical levels of functionality from Python 2.3 to 2.6.

Alex

--
"I disapprove of what you say, but I will defend to the death your right to say it." --Voltaire
"The people's good is the highest law."--Cicero

[Michael Radziej]

On Tue, Jun 09, Alex Gaynor wrote:

> A patch that only works on Python 2.6 will, unequivocally, not be accepted.
> Django maintains identaical levels of functionality from Python 2.3 to 2.6.

Nah, the patch works with 2.3 to 2.6. But the "http-only" flag will be set
only with python2.6 since the older versions don't support that flag. For
2.3-2.5, the flag is therefore ignored.

[Rodolfo Stangherlin]

If useful, is possible put warning about it in python 2.3-2.5. On
command line (manage.py runserver), it's show a message in screen.
With apache, in a error_log:

import warnings
warnings.warn('httponly is supported in python > 2.6')

If is a good idea, i submit a new patch.


Rodolfo

[Alex Gaynor]

No, as I've stated Django *never* degrades functionality due to Python version.  This would be a massive aberration from that policy.  This is clearly stated in the documentation for users: http://docs.djangoproject.com/en/dev/faq/install/#do-i-lose-anything-by-using-python-2-3-versus-newer-python-versions-such-as-python-2-5

[Michael Radziej]

On Wed, Jun 10, Alex Gaynor wrote:

> No, as I've stated Django *never* degrades functionality due to Python
> version.
> This would be a massive aberration from that policy. This is
> clearly stated in the documentation for users:
> http://docs.djangoproject.com/en/dev/faq/install/#do-i-lose-anything-by-using-python-2-3-versus-newer-python-versions-such-as-python-2-5

No, it says that the Django *core* does not degrade.

Well, session is part of contrib, not of the core. Other contrib.gis
requires 2.4. And it's not that it loses functionality, it just does not
activate a particular precaution that is not available with earlier python
versions. Nevertheless, it's surely better if we can support 'http-only'
also for older python versions. I see only one way to achieve this:

Include the 2.6 version of the cookie library with django and load
that for python 2.3-2.5

I think django already does this for a different library.

Is that the way to go?

[Rodolfo Stangherlin]

I uploaded a new patch, with implementation to Python 2.3-2.5 (based
on cephelo patch) and 2.6. I tested it with 2.5 and all is ok.

--
Rodolfo