Skip to content

Add digest_method to SessionMiddleware #2986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bcarroll wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add digest_method to SessionMiddleware #2986

bcarroll wants to merge 9 commits into from

Conversation

@bcarroll
Copy link

@bcarroll bcarroll commented Aug 25, 2025

Summary

itsdangerous includes a patch for this issue, but the TimestampSigner used in SessionMiddleware does not allow the digest_method to be changed from the itsdangerous default, which is SHA1, and causes SessionMiddleware to generate an exception in a ubi8/ubi9 RedHat container. This commit allows the Starlette Session Middleware to support FIPS builds without SHA-1 by adding a digest_method parameter to the constructor.

Checklist

  • I understand that this PR may be closed in case there was no previous discussion. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.

Brett Carroll and others added 6 commits August 21, 2025 11:03
add digest_method to SessionMiddleware constructor.
6f96988 
This is needed to support FIPS builds without SHA-1.  itsdangerous includes a patch for this issue, but the TimestampSigner used in SessionMiddleware does not allow the digest_method to be changed from the itsdangerous default, which is SHA1, and causes SessionMiddleware to generate an exception in a ubi8/ubi9 RedHat container
@bcarroll
add digest_method to SessionMiddleware
dc49299
add sha256 session test
08b9784
Merge branch 'master' of https://github.com/bcarroll/starlette
996c8f9
@bcarroll
Merge branch 'master' into master
6d6007c
@bcarroll
Merge branch 'master' into master
09895b1
Kludex
Kludex reviewed Sep 6, 2025
View reviewed changes
starlette/middleware/sessions.py
same_site: Literal["lax", "strict", "none"] = "lax",
https_only: bool = False,
domain: str | None = None,
digest_method: Any | None = None,
Copy link
Owner

@Kludex Kludex Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the right type for this digest_method?

Copy link
Author

@bcarroll bcarroll Sep 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure what the correct type is, I just borrowed the Any type from the itsdangerous code.
https://github.com/pallets/itsdangerous/blob/672971d66a2ef9f85151e53283113f33d642dabd/src/itsdangerous/signer.py#L60

@Kludex Kludex changed the title add digest_method to SessionMiddleware Add digest_method to SessionMiddleware Sep 6, 2025
@bcarroll bcarroll requested a review from Kludex September 6, 2025 16:19
@jimmyhedstr0m
Copy link

jimmyhedstr0m commented Jan 9, 2026

What is the status of this one? To be able to add digest method is highly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Awaiting requested review from Kludex

Assignees

@bcarroll bcarroll

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcarroll @jimmyhedstr0m @Kludex