How so? An exception here will be caught by the app or become a 500. That's better than possibly using a chosen session key due to miscoding.
Matthew
On May 5, 2010 4:20 PM, "Jeremy Dunck" <jdu...@gmail.com> wrote:
On Wed, May 5, 2010 at 2:45 PM, George Sakkis <george...@gmail.com> wrote:
...
> I'm repeating myself here but if the intention is to really disallow
> user-provided ids. it can b...
Allowing an attacker to predictably raise exceptions might be bad.
> By the way, this does not apply to all backends; file SessionStore for
> example uses passed ids ...
I filed a ticket for this: http://code.djangoproject.com/ticket/13478
--
You received this message because you are subscribed to the Google Groups "Django developers" g...