Clarified that Django randomizes session keys. Refs #11555, #13478, #18128.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17911 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2012-04-15 16:34:13 +00:00 · 2012-04-15 16:34:13 +00:00 · 5116c51b40
parent 0e01023897
commit 5116c51b40
1 changed files with 14 additions and 9 deletions
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@ -349,20 +349,25 @@ An API is available to manipulate session data outside of a view::

    >>> from django.contrib.sessions.backends.db import SessionStore
    >>> import datetime
-    >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
-    >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
-    >>> s['last_login']
-    datetime.datetime(2005, 8, 20, 13, 35, 0)
-    >>> s.save()
-
-If ``session_key`` isn't provided, one will be generated automatically::
-
-    >>> from django.contrib.sessions.backends.db import SessionStore
    >>> s = SessionStore()
+    >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
    >>> s.save()
    >>> s.session_key
    '2b1189a188b44ad18c35e113ac6ceead'

+    >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
+    >>> s['last_login']
+    datetime.datetime(2005, 8, 20, 13, 35, 0)
+
+In order to prevent session fixation attacks, sessions keys that don't exist
+are regenerated::
+
+    >>> from django.contrib.sessions.backends.db import SessionStore
+    >>> s = SessionStore(session_key='no-such-session-here')
+    >>> s.save()
+    >>> s.session_key
+    'ff882814010ccbc3c870523934fee5a2'
+
 If you're using the ``django.contrib.sessions.backends.db`` backend, each
 session is just a normal Django model. The ``Session`` model is defined in
 ``django/contrib/sessions/models.py``. Because it's a normal model, you can