How so? An exception here will be caught by the app or become a 500. That's better than possibly using a chosen session key due to miscoding.
Matthew On May 5, 2010 4:20 PM, "Jeremy Dunck" <jdu...@gmail.com> wrote: On Wed, May 5, 2010 at 2:45 PM, George Sakkis <george.sak...@gmail.com> wrote: ... > I'm repeating myself here but if the intention is to really disallow > user-provided ids. it can b... Allowing an attacker to predictably raise exceptions might be bad. > By the way, this does not apply to all backends; file SessionStore for > example uses passed ids ... I filed a ticket for this: http://code.djangoproject.com/ticket/13478 -- You received this message because you are subscribed to the Google Groups "Django developers" g... -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
