Django

Code

Ticket #3716 (closed: duplicate)

Opened 1 year ago

Last modified 1 year ago

[patch] Introducing newsessions

Reported by: Anton Khalikov <anton@khalikov.ru> Assigned to: adrian
Milestone: Component: Core framework
Version: SVN Keywords:
Cc: Triage Stage: Design decision needed
Has patch: 1 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

Hello everyone

Firstly, there is an old ticket #1180 which was reopened by me today. The problem with current sessions is that there is a chance to get session duplicate 'by design' because there is a time between generating a new session id and checking it to be clean and actually save new session with this id to db. So, any django-powered project with high traffic.

newsessions is a fork of old sessions but it has completely different approach to the way of generating new sessions: it actually creates a new empty session with unique id in database and returns it so there is 100% guarantee that there will be no duplicates.

Also, there is another problem in sessions module: if any malicious user scans network traffic, there is a chance for him to get one's session id and successfully use it because django has no mechanisms to check for IP from where a session was created and from where it is actually used. Ofcourse, newsessions has no such problem because of built-in ip checking :)

newsession module uses other table than django_session so everyone who wants to try this module doesn't need to break anything. Everything you need is to change django.contrib.session.* to django.contrib.newsession.* in your settings.py

Attachments

newsessions.patch (7.6 kB) - added by Anton Khalikov <anton@khalikov.ru> on 03/13/07 06:40:48.
newsessions module

Change History

03/13/07 06:40:48 changed by Anton Khalikov <anton@khalikov.ru>

  • attachment newsessions.patch added.

newsessions module

03/13/07 06:44:42 changed by anonymous

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.

Oops, lost my idea here: So, any django-powered project with high traffic .... may be vulnerable.

03/13/07 14:25:12 changed by SmileyChris

  • stage changed from Unreviewed to Design decision needed.

If the problem with (old)sessions is as you state, then definitely something needs to change.

I'm not quite sure about the session-IP tie, I think it came up a long time ago and the devs weren't sold on it. Either way, this is worth bringing up in the developer group for discussion. Here is a post to get things rolling.

03/13/07 23:29:28 changed by Anton Khalikov <anton@khalikov.ru>

SmileyChris?, the reason why I called my stuff 'newsessions' is - they have different table structure which is not compatible with current session model. Use them or not - it's up to you guys, but as I said, your current model of sessions is vulnerable by default (it was designed to be vulnerable).

03/18/07 04:53:28 changed by Simon G. <dev@simon.net.nz>

  • status changed from new to closed.
  • resolution set to duplicate.

Marking as duplicate as #1180 has more discussion about this. Please continue there.

Add/Change #3716 ([patch] Introducing newsessions)




Change Properties
Action