|
|
@@ -349,19 +349,24 @@ An API is available to manipulate session data outside of a view::
|
|
|
|
|
|
>>> from django.contrib.sessions.backends.db import SessionStore
|
|
|
>>> import datetime
|
|
|
- >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
|
|
|
+ >>> s = SessionStore()
|
|
|
>>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
|
|
|
+ >>> s.save()
|
|
|
+ >>> s.session_key
|
|
|
+ '2b1189a188b44ad18c35e113ac6ceead'
|
|
|
+
|
|
|
+ >>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
|
|
|
>>> s['last_login']
|
|
|
datetime.datetime(2005, 8, 20, 13, 35, 0)
|
|
|
- >>> s.save()
|
|
|
|
|
|
-If ``session_key`` isn't provided, one will be generated automatically::
|
|
|
+In order to prevent session fixation attacks, sessions keys that don't exist
|
|
|
+are regenerated::
|
|
|
|
|
|
>>> from django.contrib.sessions.backends.db import SessionStore
|
|
|
- >>> s = SessionStore()
|
|
|
+ >>> s = SessionStore(session_key='no-such-session-here')
|
|
|
>>> s.save()
|
|
|
>>> s.session_key
|
|
|
- '2b1189a188b44ad18c35e113ac6ceead'
|
|
|
+ 'ff882814010ccbc3c870523934fee5a2'
|
|
|
|
|
|
If you're using the ``django.contrib.sessions.backends.db`` backend, each
|
|
|
session is just a normal Django model. The ``Session`` model is defined in
|
Aymeric Augustin