Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Clarified that Django randomizes session keys. Refs #11555, #13478, #…

…18128.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17911 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 5116c51b40edc37ed2e1bd68d0069321bc1f3f04 1 parent 0e01023
@aaugustin aaugustin authored
Showing with 10 additions and 5 deletions.
  1. +10 −5 docs/topics/http/sessions.txt
View
15 docs/topics/http/sessions.txt
@@ -349,19 +349,24 @@ An API is available to manipulate session data outside of a view::
>>> from django.contrib.sessions.backends.db import SessionStore
>>> import datetime
- >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
+ >>> s = SessionStore()
>>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
+ >>> s.save()
+ >>> s.session_key
+ '2b1189a188b44ad18c35e113ac6ceead'
+
+ >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
>>> s['last_login']
datetime.datetime(2005, 8, 20, 13, 35, 0)
- >>> s.save()
-If ``session_key`` isn't provided, one will be generated automatically::
+In order to prevent session fixation attacks, sessions keys that don't exist
+are regenerated::
>>> from django.contrib.sessions.backends.db import SessionStore
- >>> s = SessionStore()
+ >>> s = SessionStore(session_key='no-such-session-here')
>>> s.save()
>>> s.session_key
- '2b1189a188b44ad18c35e113ac6ceead'
+ 'ff882814010ccbc3c870523934fee5a2'
If you're using the ``django.contrib.sessions.backends.db`` backend, each
session is just a normal Django model. The ``Session`` model is defined in
Please sign in to comment.
Something went wrong with that request. Please try again.