#34384: SECRET_KEY_FALLBACKS is not used for sessions
------------------------------+--------------------------------------
Reporter: Eric Zarowny | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: 4.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by Joey Lange):
* cc: Joey Lange (added)
Comment:
Hi! I'm a colleague of Eric's, and we were discussing some of the
ramifications of fixing this issue and I thought I'd write them here for
posterity.
In particular for user sessions, using fallback keys in the
`AuthenticationMiddleware`/`auth.get_user(request)` will keep existing
`_auth_user_hash` values from before the rotation being seen as valid,
which is nice during the rotation period, but without any ''upgrading'' of
the `_auth_user_hash` values, when the rotation is finished and the
fallback keys are removed, all of those sessions will essentially be
invalidated again.
So, I think possibly an additional need here is a way to upgrade the
cookies when a fallback key is used? Or at least documentation calling out
this drawback.
--
Ticket URL: <https://code.djangoproject.com/ticket/34384#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070186a92db758-032e7ca0-db31-4903-b114-de44c06c0f9e-000000%40eu-central-1.amazonses.com.
