Added an explicit warning about cookie session store to release notes.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17529 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-02-16 02:08:11 +00:00 · 2012-02-16 02:08:11 +00:00 · c05930c858
parent ea8af819ab
commit c05930c858
2 changed files with 15 additions and 0 deletions
--- a/docs/releases/1.4-beta-1.txt
+++ b/docs/releases/1.4-beta-1.txt
@ -197,6 +197,13 @@ Django 1.4 introduces a new cookie-based backend for the session framework
 which uses the tools for :doc:`cryptographic signing </topics/signing>` to
 store the session data in the client's browser.

+.. warning::
+
+    Session data is signed and validated by the server, but is not
+    encrypted.  This means that a user can view any data stored in the
+    session, but cannot change it. Please read the documentation for
+    further clarification before using this backend.
+
 See the :ref:`cookie-based session backend <cookie-session-backend>` docs for
 more information.

--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@ -171,6 +171,14 @@ Django 1.4 introduces a cookie-based session backend that uses the tools for
 :doc:`cryptographic signing </topics/signing>` to store the session data in
 the client's browser.

+.. warning::
+
+    Session data is signed and validated by the server, but is not
+    encrypted.  This means that a user can view any data stored in the
+    session, but cannot change it. Please read the documentation for
+    further clarification before using this backend.
+
+
 See the :ref:`cookie-based session backend <cookie-session-backend>` docs for
 more information.