Use signing backend for signed_cookie session engine

[Danielle Madeley]

Hi all,

Was looking at implementing a custom signing backend via a HSM to sign and validate my Django sessions without knowing the key.

It seems that the functions signing.loads() and signing.dumps() force you to use TimestampSigner [1] rather than calling get_cookie_signer(). This has the interesting side effect that response.set_signed_cookie() does go via the signing backend but the signed_cookie session engine is signed with a different backend.

Is there any reason the loads() and dumps() functions don't use the signing backend?

[1] https://github.com/django/django/blob/master/django/core/signing.py#L127

--danni

[Tim Graham]

These questions involving old code aren't always easily answered. I would try to answer it by looking through git blame and finding the relative commits and tickets to see if there's an explanation there.