[Django] #19201: session data should always contain the expiry date
Django
------------------------------------------------+------------------------
Reporter: aaugustin | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.sessions | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Currently, session data only contains the expiry date when it has been
explicitly set.
As a consequence, session backends are required to store the expiration
date as metadata to determine if the session has or hasn't expired:
- the cache backend transmits the expiry age to the cache server
- the database backend store the expiry date next to the data
- the file backend doesn't store the expiry date at all (see #18194) — it
can be rebuilt from the file's mtime but that sounds fragile
- the signed_cookies backend implements its own timestamping and signing
`SessionBase` already signs the session data (to prevent code execution
attacks in case the pickled session data was compromised), and it
timestamps it when an explicit expiry date is set.
I propose that `SessionBase` always timestamp and sign session data. This
would [https://code.djangoproject.com/ticket/18194#comment:12 simplify
session expiry handling]. The signed_cookies backend would no longer need
to perform its own timestamping and signing.
--
Ticket URL: <https://code.djangoproject.com/ticket/19201>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: aaugustin | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution:
Severity: Normal | Triage Stage:
Keywords: | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by aaugustin):
This refactoring seems necessary to
[https://code.djangoproject.com/ticket/19200#comment:1 enforce
signed_cookies expiry] when a non-default expiry date is set.
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:1>
Django
Reporter: aaugustin | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution:
Severity: Normal | Triage Stage:
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by aaugustin):
https://github.com/django/django/pull/453 shares some ideas with this
ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:2>
Django
Reporter: aaugustin | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution:
Keywords: | decision needed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by aaugustin):
* stage: Unreviewed => Design decision needed
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:3>
Django
Reporter: aaugustin | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution:
Severity: Normal | Triage Stage: Design
Keywords: | decision needed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aymeric Augustin <aymeric.augustin@…>):
In [changeset:"88393357a6839fb4ce57793523bc25b17dc188a4"]:
{{{
#!CommitTicketReference repository=""
revision="88393357a6839fb4ce57793523bc25b17dc188a4"
[1.5.x] Marked cookies-based session expiry test as an expected failure.
Refs #19201.
Backport of 58337b3 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:4>
Django
Reporter: aaugustin | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution:
Severity: Normal | Triage Stage: Design
Keywords: | decision needed
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aymeric Augustin <aymeric.augustin@…>):
In [changeset:"58337b32236eb57d82bf62ed077add3ec69e37f2"]:
{{{
#!CommitTicketReference repository=""
revision="58337b32236eb57d82bf62ed077add3ec69e37f2"
Marked cookies-based session expiry test as an expected failure.
Refs #19201.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:5>
Django
Reporter: aaugustin | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.sessions | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by aaugustin):
* stage: Design decision needed => Accepted
Comment:
A helpful reference on session expiry implementation:
https://code.djangoproject.com/ticket/18194#comment:12
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:6>
Django
Reporter: Aymeric Augustin | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.sessions | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Andreas Pelme):
* cc: andreas@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:7>
Django
Reporter: Aymeric Augustin | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.sessions | Version: dev
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Efe Öge):
Hello,
I've become aware of this issue through a related bug report I submitted:
https://code.djangoproject.com/ticket/36506.
I'd like to work on this ticket. Would that be okay?
--
Ticket URL: <https://code.djangoproject.com/ticket/19201#comment:8>