Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Clarified that Django randomizes session keys. Refs #11555, #13478, #…

…18128.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17911 bcc190cf-cafb-0310-a4f2-bffc1f526a37
commit 5116c51b40edc37ed2e1bd68d0069321bc1f3f04 1 parent 0e01023
Aymeric Augustin authored

Showing 1 changed file with 10 additions and 5 deletions. Show diff stats Hide diff stats

  1. 15  docs/topics/http/sessions.txt
15  docs/topics/http/sessions.txt
@@ -349,19 +349,24 @@ An API is available to manipulate session data outside of a view::
349 349
 
350 350
     >>> from django.contrib.sessions.backends.db import SessionStore
351 351
     >>> import datetime
352  
-    >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
  352
+    >>> s = SessionStore()
353 353
     >>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
  354
+    >>> s.save()
  355
+    >>> s.session_key
  356
+    '2b1189a188b44ad18c35e113ac6ceead'
  357
+
  358
+    >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
354 359
     >>> s['last_login']
355 360
     datetime.datetime(2005, 8, 20, 13, 35, 0)
356  
-    >>> s.save()
357 361
 
358  
-If ``session_key`` isn't provided, one will be generated automatically::
  362
+In order to prevent session fixation attacks, sessions keys that don't exist
  363
+are regenerated::
359 364
 
360 365
     >>> from django.contrib.sessions.backends.db import SessionStore
361  
-    >>> s = SessionStore()
  366
+    >>> s = SessionStore(session_key='no-such-session-here')
362 367
     >>> s.save()
363 368
     >>> s.session_key
364  
-    '2b1189a188b44ad18c35e113ac6ceead'
  369
+    'ff882814010ccbc3c870523934fee5a2'
365 370
 
366 371
 If you're using the ``django.contrib.sessions.backends.db`` backend, each
367 372
 session is just a normal Django model. The ``Session`` model is defined in

0 notes on commit 5116c51

Please sign in to comment.
Something went wrong with that request. Please try again.