Opened 11 years ago

Last modified 3 weeks ago

#21076 new New feature

Offer the ability to store a hash of session IDs rather than the ID itself

Reported by: Tim Graham Owned by:
Component: contrib.sessions Version: dev
Severity: Normal Keywords:
Cc: Aymeric Augustin, Roman Donchenko Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.

On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.

Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility.

Change History (12)

comment:1 by Rigel Di Scala, 8 years ago

Owner: changed from nobody to Rigel Di Scala
Status: newassigned

comment:2 by Chris Griffin, 7 years ago

Owner: changed from Rigel Di Scala to Chris Griffin

comment:3 by Chris Griffin, 7 years ago

Has patch: set
Version 0, edited 7 years ago by Chris Griffin (next)

comment:4 by Carlton Gibson, 7 years ago

Patch needs improvement: set

Aymeric reviewed this on the PR, leaving suggestions for improvement. Once those are (roughly) addressed please uncheck Patch needs improvement and we can have another look.

comment:5 by Mark, 5 years ago

Owner: changed from Chris Griffin to Mark

comment:6 by Mark, 5 years ago

Picking this up together with #31412

comment:7 by Mark, 5 years ago

Requesting feedback about naming convention (see this PR comment) to make a clear distinction between incoming "clear text" session keys and session keys that are stored in the sessions backend (potentially hashed, but not necessarily, depending on settings and existing session keys). My suggestion is to use the names frontend_key and backend_key respectively.

Also requesting feedback concerning a refactor of the SessionBase API to DRY-up the session key conversion (see this PR comment).

comment:8 by Mark, 5 years ago

Patch needs improvement: unset

New PR: https://github.com/django/django/pull/12814

Though the patch surely does still need improvement (documentation at the very least),
I'm removing the 'Patch needs improvement' flag to get some feedback on the current implementation.

comment:9 by Mariusz Felisiak, 4 years ago

Cc: Aymeric Augustin added
Needs documentation: set
Patch needs improvement: set

comment:10 by Mariusz Felisiak, 20 months ago

Owner: Mark removed
Status: assignednew

comment:11 by Natalia Bidart, 16 months ago

Has patch: unset
Needs documentation: unset
Patch needs improvement: unset

comment:12 by Roman Donchenko, 3 weeks ago

Cc: Roman Donchenko added
Note: See TracTickets for help on using tickets.
Back to Top