Some clients may not allow cookies, which would be a problem if that's
your full session strategy. If you're storing nothing but the default
information in the cookie then there shouldn't be any risk, and in any
case the cookie is encrypted with the SECRET_KEY from your settings.
If you store additional information in the session then you run the
risk of exceeding the size allowed for a cookie, and theoretically
that information being exposed, although that's unlikely if your
SECRET_KEY is good.
In my opinion, using Redis as a back-end will be much better for
multiple reasons, not the least of which is performance. Also,
built-in key expiration in Redis is excellent (check your existing
session table for the entire history of sessions for your
application).
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment