Fixed #24915 -- Added stricter session key validation

Changed _session_key attribute to a property and implemented basic validation in the setter. The session key must be 'truthy' and at least 8 characters long. Otherwise, the value is set to None.
2025-10-23 21:59:11 +00:00 · 2015-06-05 13:48:41 +01:00
parent 20ff296cb1
commit f4416b1a8b
3 changed files with 35 additions and 1 deletions
--- a/docs/releases/1.9.txt
+++ b/docs/releases/1.9.txt
@@ -604,6 +604,8 @@ Miscellaneous
  <django.core.urlresolvers.ResolverMatch.namespace>`, the empty value is now
  an empty string instead of ``None``.

+* For security hardening, session keys must be at least 8 characters.
+
 .. _deprecated-features-1.9:

 Features deprecated in 1.9