From 024c8118098a4635e7cbc6954e10ea9f783c4f9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hannes=20K=C3=BCttner?= <kuettner.hannes@gmail.com>
Date: Thu, 12 Aug 2021 13:13:25 +0200
Subject: [PATCH] Fix BadSignature exception handling in SessionMiddleware

---
 starlette/middleware/sessions.py |  4 ++--
 tests/middleware/test_session.py | 13 +++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/starlette/middleware/sessions.py b/starlette/middleware/sessions.py
index a13ec5c0ed..ad7a6ee899 100644
--- a/starlette/middleware/sessions.py
+++ b/starlette/middleware/sessions.py
@@ -3,7 +3,7 @@
 from base64 import b64decode, b64encode
 
 import itsdangerous
-from itsdangerous.exc import BadTimeSignature, SignatureExpired
+from itsdangerous.exc import BadSignature
 
 from starlette.datastructures import MutableHeaders, Secret
 from starlette.requests import HTTPConnection
@@ -42,7 +42,7 @@ async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
                 data = self.signer.unsign(data, max_age=self.max_age)
                 scope["session"] = json.loads(b64decode(data))
                 initial_session_was_empty = False
-            except (BadTimeSignature, SignatureExpired):
+            except BadSignature:
                 scope["session"] = {}
         else:
             scope["session"] = {}
diff --git a/tests/middleware/test_session.py b/tests/middleware/test_session.py
index 314f2be583..64be0932b3 100644
--- a/tests/middleware/test_session.py
+++ b/tests/middleware/test_session.py
@@ -112,3 +112,16 @@ def test_session_cookie_subpath(test_client_factory):
     cookie = response.headers["set-cookie"]
     cookie_path = re.search(r"; path=(\S+);", cookie).groups()[0]
     assert cookie_path == "/second_app"
+
+
+def test_invalid_session_cookie():
+    app = create_app()
+    app.add_middleware(SessionMiddleware, secret_key="example")
+    client = TestClient(app)
+
+    response = client.post("/update_session", json={"some": "data"})
+    assert response.json() == {"session": {"some": "data"}}
+
+    # we expect it to not raise an exception if we provide a bogus session cookie
+    response = client.get("/view_session", cookies={"session": "invalid"})
+    assert response.json() == {"session": {}}