> Hi,
>
> I have following code to set self-defined session_key:
>
>>>> from django.contrib.sessions.backends.db import SessionStore
>>>> from django.contrib.sessions.models import Session
>>>> a = SessionStore(session_key="fwefwejfo3j20jf02jnfweojfeo")
>>>> a.save()
>>>> a.session_key
> 'a6e020a64789b5644e923c85b80a1d0b'
>
> Why the session_key got changed after saved in DB? Where is my defined
> session_key?
>
This is not a bug, it is by design. The session app is protecting you
from session fixation attacks.
If you try to use a session with a specified key, and no session with
that key exists, django will cycle the session key to avoid a user
being caught by a session fixation attack, where a malicious user
attempts to get a valid user to log in using a known session key, and
then accesses their session.
Cheers
Tom
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment