Fixed #24468 -- Made signed cookies cache backend resilient to unpickling exceptions.

django/contrib/sessions/backends/signed_cookies.py

@@ -17,7 +17,9 @@ class SessionStore(SessionBase):
                 # This doesn't handle non-default expiry dates, see #19201
                 max_age=settings.SESSION_COOKIE_AGE,
                 salt='django.contrib.sessions.backends.signed_cookies')
-        except (signing.BadSignature, ValueError):
+        except Exception:
+            # BadSignature, ValueError, or unpickling exceptions. If any of
+            # these happen, reset the session.
             self.create()
         return {}
 

tests/sessions_tests/tests.py

@@ -17,6 +17,9 @@ from django.contrib.sessions.backends.signed_cookies import \
 from django.contrib.sessions.exceptions import InvalidSessionKey
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.contrib.sessions.models import Session
+from django.contrib.sessions.serializers import (
+    JSONSerializer, PickleSerializer,
+)
 from django.core import management
 from django.core.cache import caches
 from django.core.cache.backends.base import InvalidCacheBackendError
@@ -632,3 +635,12 @@ class CookieSessionTests(SessionTestsMixin, unittest.TestCase):
     def test_actual_expiry(self):
         # The cookie backend doesn't handle non-default expiry dates, see #19201
         super(CookieSessionTests, self).test_actual_expiry()
+
+    def test_unpickling_exception(self):
+        # signed_cookies backend should handle unpickle exceptions gracefully
+        # by creating a new session
+        self.assertEqual(self.session.serializer, JSONSerializer)
+        self.session.save()
+
+        self.session.serializer = PickleSerializer
+        self.session.load()