Re: Hashing Session Keys in backends

Initial (draft) Pull Request: https://github.com/django/django/pull/12814 The pull request at the very least still needs documentation, but would be good to have a review of the implementation first. On Thursday, April 23, 2020 at 11:22:39 AM UTC+2, mark wrote: > > Hey Adam, thanks for the f

Re: Hashing Session Keys in backends

Hey Adam, thanks for the feedback, I'll make sure to credit Chris' original work in a new PR, I think I'm getting close to having one ready. Is there a way to avoid breaking third party backends, but raising > deprecation warnings? > I could create a new SessionBase child class (something like

Re: Hashing Session Keys in backends

Hi Mark Thanks for looking into this tricky security issue. I'm suggesting to use the names frontend_key and backend_key for these two > concepts. > They seem reasonable to me, as long as there's an explanatory comment. Perhaps it even needs documenting for third party backends. My second sugge

Hashing Session Keys in backends

After renewed interest because of potential database timing attacks (T31412 ) I'm looking into an existing PR (PR8736 for T21076 ) for adding the possibility of