On May 5, 10:20 pm, Jeremy Dunck <jdu...@gmail.com> wrote: > On Wed, May 5, 2010 at 2:45 PM, George Sakkis <george.sak...@gmail.com> wrote: > > ... > > > I'm repeating myself here but if the intention is to really disallow > > user-provided ids. it can be done more clearly: raise an exception if > > the key does not exist and make the session_key property read-only. > > Now it seems like a bug that you can sort of work around by setting > > the key just before saving. > > Allowing an attacker to predictably raise exceptions might be bad.
The exception would not propagate of course all the way up the stack, it would be caught by a caller that knows how to handle it (e.g. middleware). In this way SessionStore backends would be responsible only for the low level storage details, not the security policy. On second thought though this is probably impractical since load() is called implicitly the first time a dict-like method is called, so the exception could be raised almost anywhere the session is first accessed. George -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
