Fixed #24915 -- Added stricter session key validation

Changed _session_key attribute to a property and implemented basic validation in the setter. The session key must be 'truthy' and at least 8 characters long. Otherwise, the value is set to None.
2025-08-03 02:23:12 +00:00 · 2015-06-05 13:48:41 +01:00 · 2015-06-05 13:48:41 +01:00 · f4416b1a8b
commit f4416b1a8b
parent 20ff296cb1
3 changed files with 35 additions and 1 deletions
--- a/tests/sessions_tests/tests.py
+++ b/tests/sessions_tests/tests.py
@ -198,6 +198,21 @@ class SessionTestsMixin(object):
            # session key; make sure that entry is manually deleted
            session.delete('1')

+    def test_session_key_empty_string_invalid(self):
+        """Falsey values (Such as an empty string) are rejected."""
+        self.session._session_key = ''
+        self.assertIsNone(self.session.session_key)
+
+    def test_session_key_too_short_invalid(self):
+        """Strings shorter than 8 characters are rejected."""
+        self.session._session_key = '1234567'
+        self.assertIsNone(self.session.session_key)
+
+    def test_session_key_valid_string_saved(self):
+        """Strings of length 8 and up are accepted and stored."""
+        self.session._session_key = '12345678'
+        self.assertEqual(self.session.session_key, '12345678')
+
    def test_session_key_is_read_only(self):
        def set_session_key(session):
            session.session_key = session._get_new_session_key()