[Django] #27775: Signed cookies does not support custom expiry

[Django]

#27775: Signed cookies does not support custom expiry
--------------------------------------------+------------------------
Reporter: Andreas Pelme | Owner: nobody
Type: Bug | Status: new
Component: contrib.sessions | Version: 1.10
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
Calling set_expiry() when using the signed cookies backend does not do
anything. This has been known for quite some time, see:
-
https://github.com/django/django/blob/5890d6ab03ebc7dac46ce7d9540b5768785caa34/django/contrib/sessions/backends/signed_cookies.py#L18-L19
- Ticket #19201

Ticket #19201 already exists that goes into details about problems with
session expiration. This ticket exists to track the particular bug that
custom expiration does not work in the signed cookies backend.

I propose that we should either (and I would be happy to work to get PR:s
for):

- Raise an explicit exception when `set_expiry()` is called on signed
cookie session backend. Currently the call is just ignored which may lead
to security issues if the default configured session timeout is very high
and some sensitive login/session need like to have a much lower
expiration.

- Handle expiration in a signed cookies-specific way (see my PR at
https://github.com/django/django/pull/7885 for an attempt at this).

I very much agree with the conclusion in #19201 that expiration is messy
across backends and is in need of refactor but I think the current state
is even worse where we have silent failures for potentially secret
sensitive code.

I don't have the time to work on a full refactor of the expiration (given
that it needs to be very backward compatible it is probably a bit of work
involved).

--
Ticket URL: <https://code.djangoproject.com/ticket/27775>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+------------------------------------

Reporter: Andreas Pelme | Owner: nobody
Type: Bug | Status: new
Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by Tim Graham):

* stage: Unreviewed => Accepted

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:1>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+------------------------------------

Reporter: Andreas Pelme | Owner: nobody
Type: Bug | Status: new
Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by Tim Graham):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:2>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+------------------------------------
Reporter: Andreas Pelme | Owner: buugaj
Type: Bug | Status: assigned
Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by buugaj):

* owner: nobody => buugaj
* status: new => assigned

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:3>

[Django]

#27775: Signed cookies does not support custom expiry

-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Dawid
| Bugajewski
Type: Bug | Status: assigned
Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Dawid Bugajewski):

* needs_better_patch: 1 => 0

Comment:

[https://github.com/django/django/pull/16206 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:4>

[Django]

#27775: Signed cookies does not support custom expiry

-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Dawid
| Bugajewski
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* needs_better_patch: 0 => 1

* needs_tests: 0 => 1
* needs_docs: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:5>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned
Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Abe Hanoka):

* owner: Dawid Bugajewski => Abe Hanoka

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:6>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Comment (by Abe Hanoka):

https://github.com/django/django/pull/19191
--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:7>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Abe Hanoka):

* needs_better_patch: 1 => 0
* needs_docs: 1 => 0
* needs_tests: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:8>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Sarah Boyce):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:9>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Abe Hanoka):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:10>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Sarah Boyce):

* needs_docs: 0 => 1

* needs_tests: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:11>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Abe Hanoka):

* needs_docs: 1 => 0
* needs_tests: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:12>

[Django]

#27775: Signed cookies does not support custom expiry

-------------------------------------+-------------------------------------

Reporter: Andreas Pelme | Owner: Abe
| Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):

* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:13>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------

Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Sarah Boyce):

* needs_better_patch: 0 => 1

* stage: Ready for checkin => Accepted

Comment:

Want to not store values on self
--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:14>

[Django]

#27775: Signed cookies does not support custom expiry

----------------------------------+--------------------------------------
Reporter: Andreas Pelme | Owner: Abe Hanoka
Type: Bug | Status: assigned

Component: contrib.sessions | Version: 1.10

Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+--------------------------------------
Changes (by Jacob Walls):

* needs_better_patch: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/27775#comment:15>