Changes between Initial Version and Version 1 of Ticket #18194, comment 7


Ignore:
Timestamp:
Oct 26, 2012, 6:51:59 AM (12 years ago)
Author:
Tomáš Ehrlich

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #18194, comment 7

    initial v1  
    11Is it necessary to sign session data for all backends? I would define it for file-based sessions only. For example, signed-cookie backend cares about signing itself. I don't see any advantage in signing database data with TimestampSigner since expiration date is stored along with session data.
     2
     3Using modification time seems to me interesting (although simple signing would be useful here), but both solutions (TimestampSigner and modification time) have slight caveat: While in database backend we can specify exact expiration date and check that it's < timezone.now(), here we have modification date (or date of signing) and we check that it's < timezone.now() - SESSION_COOKIE_AGE. It could be solved with setting modification date (or date of signing) in future, but i'm not sure if it's allowed for every file system. TimestampSigner unfortunatelly doesn't support change of time.
Back to Top