Tuesday, May 31, 2011

Re: Why self-defined session_key got changed when save in DB?

On Sat, May 28, 2011 at 4:00 AM, Jimmy <jimmy.don.know@gmail.com> wrote:
> Hi,
> I have following code to set self-defined session_key:
>>>> from django.contrib.sessions.backends.db import SessionStore
>>>> from django.contrib.sessions.models import Session
>>>> a = SessionStore(session_key="fwefwejfo3j20jf02jnfweojfeo")
>>>> a.save()
>>>> a.session_key
> 'a6e020a64789b5644e923c85b80a1d0b'
> Why the session_key got changed after saved in DB? Where is my defined
> session_key?

This is not a bug, it is by design. The session app is protecting you
from session fixation attacks.

If you try to use a session with a specified key, and no session with
that key exists, django will cycle the session key to avoid a user
being caught by a session fixation attack, where a malicious user
attempts to get a valid user to log in using a known session key, and
then accesses their session.



You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment