Ticket #4531: sessionid_patch

File sessionid_patch, 1.1 KB (added by Frank Tegtmeyer <fte@…>, 8 years ago)

Patch for safer sessionid generation

Line 
1--- django/contrib/sessions/models.py.orig      2007-06-11 14:07:28.000000000 +0200
2+++ django/contrib/sessions/models.py   2007-06-11 14:16:26.000000000 +0200
3@@ -1,4 +1,4 @@
4-import base64, md5, random, sys, datetime
5+import base64, md5, random, sys, datetime, os, time
6 import cPickle as pickle
7 from django.db import models
8 from django.utils.translation import gettext_lazy as _
9@@ -14,9 +14,9 @@
10     def get_new_session_key(self):
11         "Returns session key that isn't being used."
12         # The random module is seeded when this Apache child is created.
13-        # Use person_id and SECRET_KEY as added salt.
14+        # Use SECRET_KEY as added salt.
15         while 1:
16-            session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
17+            session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + str(os.getpid()) + str(time.time()) + settings.SECRET_KEY).hexdigest()
18             try:
19                 self.get(session_key=session_key)
20             except self.model.DoesNotExist:
Back to Top