After renewed interest because of potential database timing attacks (T31412 <https://code.djangoproject.com/ticket/31412>) I'm looking into an existing PR (PR8736 <https://github.com/django/django/pull/8736> for T21076 <https://code.djangoproject.com/ticket/21076>) for adding the possibility of storing hashes of session keys.
I'm looking to get some feedback on two things; After going through the existing commits of Chris Griffin, I agree with Aymeric Augustin (who did an initial review of the pull request) that there should be a clearer distinction between the incoming session key (Aymeric talks about a "clear text session key") and the key that gets stored in the sessions backend (Aymeric talks about a "hashed if needed session key"). I'm suggesting <https://github.com/django/django/pull/8736#issuecomment-610986822> to use the names *frontend_key* and *backend_key* for these two concepts. My second suggestion <https://github.com/django/django/pull/8736#issuecomment-611934012> is to refactor the *SessionBase* class to make sure the session-key-hashing happens in one place and isn't spread across all different backend implementations as is the case now because the subclasses have to implemented public methods that receive the frontend_key. I'm suggesting to basically have subclasses implement private methods that receive a backend_key, which will be invoked by the public methods in the BaseClass. Obviously this will have consequences for any existing custom backends out there, though I think those will be affected either way. I welcome any thoughts on both the naming convention and the refactoring. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/41c26919-f15f-4151-aa82-1281e24656da%40googlegroups.com.
