From 5116c51b40edc37ed2e1bd68d0069321bc1f3f04 Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Sun, 15 Apr 2012 16:34:13 +0000 Subject: [PATCH] Clarified that Django randomizes session keys. Refs #11555, #13478, #18128. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17911 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/topics/http/sessions.txt | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index dcd4ea2c74..4b0bbe4ed5 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -349,20 +349,25 @@ An API is available to manipulate session data outside of a view:: >>> from django.contrib.sessions.backends.db import SessionStore >>> import datetime - >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead') - >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10) - >>> s['last_login'] - datetime.datetime(2005, 8, 20, 13, 35, 0) - >>> s.save() - -If ``session_key`` isn't provided, one will be generated automatically:: - - >>> from django.contrib.sessions.backends.db import SessionStore >>> s = SessionStore() + >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10) >>> s.save() >>> s.session_key '2b1189a188b44ad18c35e113ac6ceead' + >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead') + >>> s['last_login'] + datetime.datetime(2005, 8, 20, 13, 35, 0) + +In order to prevent session fixation attacks, sessions keys that don't exist +are regenerated:: + + >>> from django.contrib.sessions.backends.db import SessionStore + >>> s = SessionStore(session_key='no-such-session-here') + >>> s.save() + >>> s.session_key + 'ff882814010ccbc3c870523934fee5a2' + If you're using the ``django.contrib.sessions.backends.db`` backend, each session is just a normal Django model. The ``Session`` model is defined in ``django/contrib/sessions/models.py``. Because it's a normal model, you can