#13478 closed Cleanup/optimization (needsinfo)
Session backends should all refuse user-defined, non-existant IDs
Reported by: | Jeremy Dunck | Owned by: | nobody |
---|---|---|---|
Component: | contrib.sessions | Version: | 1.1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
DB session store refuses to use non-existant user-supplied session IDs. This is done in an attempt to avoid session fixation attacks.
Per George Sakkis on the mailing list, not all backends similarly refuse user-supplied IDs. File session apparently doesn't, for example.
All backends should be the same in this enforcement (or not).
Attachments (1)
Change History (10)
comment:1 by , 15 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 14 years ago
The email thread referenced by the description is here:
http://groups.google.com/group/django-developers/browse_thread/thread/1858fd3106805fab/e087ec33bd64bae9
comment:3 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → Cleanup/optimization |
by , 13 years ago
Attachment: | 13478.1.patch added |
---|
comment:7 by , 13 years ago
Has patch: | set |
---|---|
Needs tests: | set |
Here's a patch for the docs, I also intend to add test cases validating that a non-existing session key is regenerated.
comment:8 by , 13 years ago
Needs tests: | unset |
---|---|
Resolution: | → needsinfo |
Status: | new → closed |
The assertion on the mailing list was: "By the way, this does not apply to all backends; file SessionStore for example uses passed ids as is."
But it wasn't backed by any code, and we have a test proving the contrary: SessionTestsMixin.test_invalid_key
.
I checked the code of the file-based session store, and it clearly creates a new session if there's no file matching the given session key.
It seems to me that this sentence was just hand waving.
(I'm going to commit the docs patch which is related to this ticket anyway.)
This should be enforced consistently.