Django 4.0 sessions

[אורי‎]

Django developers,

I'm using Django 3.0 with sessions on my websites, Speedy Net and Speedy Match. I understand that sessions as they are now (in Django 3.0) will be changed and removed in Django 4.0. I would like to know how will it affect the users of my websites? Will it log out any user who didn't visit the site from Django 3.1 to Django 3.2, or will it also log out any user who didn't login again to the website using Django 3.1 and 3.2? I use persistent sessions and cookies for ~30 years, and I expect sessions to keep working when I upgrade Django. I think I can handle logging out users who didn't visit the site for ~16 months, but I can't handle users who visited the site as authenticated users but didn't login again in more than ~16 months - this will mean that when I upgrade (eventually) to Django 4.0, most of my users will suddenly be logged out (who should be logged in). Is there a way to overcome this? Are sessions objects created by the website other than when users log in? This deprecation can cause me not to want to upgrade Django to 4.0, which is a shame. I upgraded all versions of Django from 1.8 to 3.0, and I'm about to upgrade to 3.1 as well. I also had a problem when I upgraded to Django 2.1, which affected my users, and there was a bug for about 6 weeks on my website, because of introducing SESSION_COOKIE_SAMESITE with the default 'Lax' in Django 2.1 [https://stackoverflow.com/questions/59298548/set-cookie-is-not-working-in-chrome-with-two-websites]. Due to this bug my website didn't work properly for about 6 weeks. And I don't want to cause more problems when I upgrade Django to 4.0. Actually I would like the window to be wider - for example, log out users who didn't visit the website for 2 or 3 years, and anyway convert their sessions automatically without forcing them to login again (if they visited my websites during this time). Will sessions be converted automatically or can I cause them to be converted automatically to the new format and hashing algorithm, while using Django 3.1 and 3.2, before I upgrade Django to 4.0?

By the way, both my websites are configured to log in and log out users together - if they log in or log out from one website, they should be automatically logged in or logged out from the other domain too.

Is it possible to change the sessions deprecation Django version so that users will have about 2 or 3 years to convert their sessions?

Thanks,

אורי

(Uri)

u...@speedy.net

[Tom Forbes]

Is it possible to change the sessions deprecation Django version so that users will have about 2 or 3 years to convert their sessions?

Any session (or signature) that uses sha1 will no longer be valid in Django 4.0. Keeping insecure hash algorithms around for another 2 to 3 years at the framework level, especially when used for sessions, is probably not a good idea.

As a side note Uri, it’s good practice to keep your messages concise when posting. The very long first paragraph in your message containing 4 or 5 questions is hard to parse and respond to, and not all of it appears relevant.

Tom

On 9 Aug 2020, at 13:37, אורי <u...@speedy.net> wrote:



--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeHY_%3DBaZyi0L%2Bp0tFmrJsFZp3V9n3JfR%3D925-440RnsRA%40mail.gmail.com.

[אורי‎]

Hi Tom,

On Sun, Aug 9, 2020 at 4:12 PM Tom Forbes <t...@tomforb.es> wrote:

As a side note Uri, it’s good practice to keep your messages concise when posting. The very long first paragraph in your message containing 4 or 5 questions is hard to parse and respond to, and not all of it appears relevant.

I apologize for the long post and paragraph.

אורי

u...@speedy.net