On Wed, May 5, 2010 at 2:45 PM, George Sakkis <george.sak...@gmail.com> wrote: ... > I'm repeating myself here but if the intention is to really disallow > user-provided ids. it can be done more clearly: raise an exception if > the key does not exist and make the session_key property read-only. > Now it seems like a bug that you can sort of work around by setting > the key just before saving.
Allowing an attacker to predictably raise exceptions might be bad. > By the way, this does not apply to all backends; file SessionStore for > example uses passed ids as is. Whatever the desired behavior is, it > should apply to all backends, so the relevant logic should move to > SessionBase. I filed a ticket for this: http://code.djangoproject.com/ticket/13478 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
