Opened 11 years ago
Last modified 3 weeks ago
#21076 new New feature
Offer the ability to store a hash of session IDs rather than the ID itself
Reported by: | Tim Graham | Owned by: | |
---|---|---|---|
Component: | contrib.sessions | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Aymeric Augustin, Roman Donchenko | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
We should offer the ability to store a hash each session ID in the session backend rather the the ID itself. This hash should be reasonably fast, because it'll be re-computed for every request. Currently, if an attacker gains access to the session storage backend — which may easier than gaining access to the database — he can login as anyone on the site.
On a related note, we're inconsistent about whether or not we sign entries in the session backends. Some do, some don't. If we're hashing session keys by default, we should probably also sign everything by default.
Both of these things need an off-switch. There are a fair number of apps that rely on raw sessionids to provide cross-framework compatibility.
Change History (12)
comment:1 by , 8 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 7 years ago
Owner: | changed from | to
---|
comment:4 by , 7 years ago
Patch needs improvement: | set |
---|
Aymeric reviewed this on the PR, leaving suggestions for improvement. Once those are (roughly) addressed please uncheck Patch needs improvement and we can have another look.
comment:5 by , 5 years ago
Owner: | changed from | to
---|
comment:7 by , 5 years ago
Requesting feedback about naming convention (see this PR comment) to make a clear distinction between incoming "clear text" session keys and session keys that are stored in the sessions backend (potentially hashed, but not necessarily, depending on settings and existing session keys). My suggestion is to use the names frontend_key
and backend_key
respectively.
Also requesting feedback concerning a refactor of the SessionBase
API to DRY-up the session key conversion (see this PR comment).
comment:8 by , 5 years ago
Patch needs improvement: | unset |
---|
New PR: https://github.com/django/django/pull/12814
Though the patch surely does still need improvement (documentation at the very least),
I'm removing the 'Patch needs improvement' flag to get some feedback on the current implementation.
comment:9 by , 4 years ago
Cc: | added |
---|---|
Needs documentation: | set |
Patch needs improvement: | set |
comment:10 by , 20 months ago
Owner: | removed |
---|---|
Status: | assigned → new |
comment:11 by , 16 months ago
Has patch: | unset |
---|---|
Needs documentation: | unset |
Patch needs improvement: | unset |
comment:12 by , 3 weeks ago
Cc: | added |
---|