Opened 7 years ago

Last modified 38 hours ago

#21076 assigned New feature

Offer the ability to store a hash of session IDs rather than the ID itself

Reported by: Tim Graham Owned by: Mark
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Aymeric Augustin Triage Stage: Accepted
Has patch: yes Needs documentation: yes
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.

On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.

Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility.

Change History (9)

comment:1 Changed 4 years ago by Rigel Di Scala

Owner: changed from nobody to Rigel Di Scala
Status: newassigned

comment:2 Changed 3 years ago by Chris Griffin

Owner: changed from Rigel Di Scala to Chris Griffin

comment:3 Changed 3 years ago by Chris Griffin

Has patch: set
Last edited 3 years ago by Tim Graham (previous) (diff)

comment:4 Changed 2 years ago by Carlton Gibson

Patch needs improvement: set

Aymeric reviewed this on the PR, leaving suggestions for improvement. Once those are (roughly) addressed please uncheck Patch needs improvement and we can have another look.

comment:5 Changed 4 months ago by Mark

Owner: changed from Chris Griffin to Mark

comment:6 Changed 4 months ago by Mark

Picking this up together with #31412

comment:7 Changed 4 months ago by Mark

Requesting feedback about naming convention (see this PR comment) to make a clear distinction between incoming "clear text" session keys and session keys that are stored in the sessions backend (potentially hashed, but not necessarily, depending on settings and existing session keys). My suggestion is to use the names frontend_key and backend_key respectively.

Also requesting feedback concerning a refactor of the SessionBase API to DRY-up the session key conversion (see this PR comment).

comment:8 Changed 4 months ago by Mark

Patch needs improvement: unset

New PR: https://github.com/django/django/pull/12814

Though the patch surely does still need improvement (documentation at the very least),
I'm removing the 'Patch needs improvement' flag to get some feedback on the current implementation.

comment:9 Changed 38 hours ago by felixxm

Cc: Aymeric Augustin added
Needs documentation: set
Patch needs improvement: set
Note: See TracTickets for help on using tickets.
Back to Top