Options 2 and 4 from that list both involve database-level changes, and
thus aren't feasible (our lack of schema migration tools being the biggest
problem).
Of those, I'd go for option 3 as well. We definitely don't want to store
the full hash in the session for obvious security reasons, but a small
portion of the hash is probably enough to do the checking, be secure and
provide a high degree of confidence that collisions would be unlikely.
I'll leave it to PaulM or someone else better versed in hashing to comment
on what the appropriate subset might be, or if that's just totally off base.
Lastly, I'll add that it'd really be pushing it to get this into 1.4 at
this point. I, personally, would be willing to allow it on the basis of it
being a security concern, but we'd need to have a really solid patch for it
in the next week or so to have time to review it, test it, etc. Once we
release the beta it's definitely not making it into 1.4.
All the best,
- Gabriel
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/django-developers/-/2FvSlmAuVOIJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
