On a related note, we're inconsistent about whether or not we sign entries
in the session backends. Some do, some don't. If we're hashing session
keys by default, we should probably also sign everything by default.
Both of these things need an off-switch. There are a fair number of apps
that rely on raw sessionids to provide cross-framework compatibility.
--
Ticket URL: <https://code.djangoproject.com/ticket/21076>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* status: new => assigned
* owner: nobody => Rigel Di Scala
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:1>
* owner: Rigel Di Scala => Chris Griffin
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:2>
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:3>
* needs_better_patch: 0 => 1
Comment:
Aymeric reviewed this on the PR, leaving suggestions for improvement. Once
those are (roughly) addressed please uncheck Patch needs improvement and
we can have another look.
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:4>
* owner: Chris Griffin => Mark
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:5>
Comment (by Mark):
Picking this up together with #31412
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:6>
Comment (by Mark):
Requesting feedback about naming convention (see
[https://github.com/django/django/pull/8736#issuecomment-610986822 this PR
comment]) to make a clear distinction between incoming "clear text"
session keys and session keys that are stored in the sessions backend
(potentially hashed, but not necessarily, depending on settings and
existing session keys). My suggestion is to use the names `frontend_key`
and `backend_key` respectively.
Also requesting feedback concerning a refactor of the `SessionBase` API to
DRY-up the session key conversion (see
[https://github.com/django/django/pull/8736#issuecomment-611934012 this PR
comment]).
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:7>
* needs_better_patch: 1 => 0
Comment:
New PR: [https://github.com/django/django/pull/12814]
Though the patch surely does still need improvement (documentation at the
very least),
I'm removing the 'Patch needs improvement' flag to get some feedback on
the current implementation.
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:8>
* cc: Aymeric Augustin (added)
* needs_better_patch: 0 => 1
* needs_docs: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:9>
* owner: Mark => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:10>
* needs_better_patch: 1 => 0
* has_patch: 1 => 0
* needs_docs: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:11>