Clarified that Django randomizes session keys. Refs #11555, #13478, #18128. (5116c51b) · Commits · Dom Sekotill / django

docs/topics/http/sessions.txt

+10 −5

Original line number	Diff line number	Diff line
		@@ -349,19 +349,24 @@ An API is available to manipulate session data outside of a view::

		>>> from django.contrib.sessions.backends.db import SessionStore
		>>> import datetime
		>>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
		>>> s = SessionStore()
		>>> s['last_login'] = datetime.datetime(2005, 8, 20, 13, 35, 10)
		>>> s.save()
		>>> s.session_key
		'2b1189a188b44ad18c35e113ac6ceead'

		>>> s = SessionStore(session_key='2b1189a188b44ad18c35e113ac6ceead')
		>>> s['last_login']
		datetime.datetime(2005, 8, 20, 13, 35, 0)
		>>> s.save()

		If ``session_key`` isn't provided, one will be generated automatically::
		In order to prevent session fixation attacks, sessions keys that don't exist
		are regenerated::

		>>> from django.contrib.sessions.backends.db import SessionStore
		>>> s = SessionStore()
		>>> s = SessionStore(session_key='no-such-session-here')
		>>> s.save()
		>>> s.session_key
		'2b1189a188b44ad18c35e113ac6ceead'
		'ff882814010ccbc3c870523934fee5a2'

		If you're using the ``django.contrib.sessions.backends.db`` backend, each
		session is just a normal Django model. The ``Session`` model is defined in