Opened 17 years ago

Closed 17 years ago

#5760 closed (wontfix)

Use keyed hashing for session data, remove duplicate code

Reported by: Nir Soffer <nirs@…> Owned by: nobody
Component: contrib.sessions Version: 0.96
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Use hmac instead of md5 to create a digest of session data. Using hmac is probably more secure than the home built md5 implementation. Also, the current implementation uses hexdigest() when digest() is just fine.

While replacing the hash, extract the digest code to a new function to remove duplicate code.

Issues:

  • Old session will be invalidated with this patch

Attachments (1)

session.patch (1.9 KB ) - added by Nir Soffer <nirs@…> 17 years ago.
patch

Download all attachments as: .zip

Change History (2)

by Nir Soffer <nirs@…>, 17 years ago

Attachment: session.patch added

patch

comment:1 by Malcolm Tredinnick, 17 years ago

Resolution: wontfix
Status: newclosed

I don't think the churn is worth it here, since invalidating existing sessions is a little annoying. If somebody constructs a string that collides with our MD5 hash, there's not a lot they can do, since they really need the right string to be able to work out what's in the session. MD5 is vulnerable to collisions, not reverse-engineering.

Note: See TracTickets for help on using tickets.
Back to Top