Fixed #24915 - Added stricter session key validation

[david-bannon]

Changed _session_key attribute to a property and implemented basic
validation in the setter. The session key must be 'truthy' and
at least 8 characters long. Otherwise, the value is set to None.

https://code.djangoproject.com/ticket/24915

[carljm]

This should be three tests, not one.

[carljm]

This looks good to me. At first, the double layer of properties seemed like overkill, but on second thought it seems OK to be cautious by maintaining the session_key property as read-only, and avoiding changing the initialization routine, to avoid any issues with third-party session backends.

[david-bannon]

@carljm I have split the validation test into three tests as suggested.

The doubly layered properties look a bit weird all right but I figured it was the ideal way to implement the additional functionality without changing the internal API (ostensibly for the reasons you mentioned, realistically because I don't have a good feel for the code base and took the cautious approach :-P).

[carljm]

Looks good to me! Can you squash the second commit into the first (so there's just one commit with the proper commit message) and force push? Then this looks ready for checkin.

[david-bannon]

@carljm Done

[timgraham]

Please include periods in docstrings.

[timgraham]

Could you explain why the limit is 8? (or mention it's somewhat arbitrary)

[david-bannon]

Added periods to docstrings.
The 8 character limitation is indeed an arbitrary lower bound to enforce a minimum level of collision security. I went with 8 as it was suggested in the trac ticket.

[david-bannon]

New commit in response to @timgraham's comments. Held off on squashing to allow further development if necessary and make diff apparent. Let me know when to re-squash.

[timgraham]

Looks good. I added a sentence in the release notes and merged in f4416b1, thanks!