Opened 9 years ago

Closed 8 years ago

#2249 closed enhancement (invalid)

MD5 is broken sometimes, an option to use SHA would be appreciated.

Reported by: pol@… Owned by: nobody
Component: Contrib apps Version:
Severity: normal Keywords: modpython md5 session
Cc: nikl@… Triage Stage: Design decision needed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Machine Info:
Debian Linux 2.4.26-1-386
mod_python 3.1
Python 2.3

Apparently my version of mod_python is not generating md5 strings well. As a result, the session was throwing a "Suspicious Operation" exception when checking for cookie tampering. I am not the first person that this has happened to.

The follwing fixed the problem:
Modify contrib/sessions/ and contrib/admin/views/

  • Import sha and change *md5* to *sha*
  • Change encoded_data[:-32], encoded_data[-32:] to encoded_data[:-40], encoded_data[-40:]

Add a SESSION_KEY_TYPE var to that allows the user to specify md5 or sha session keys.

Attachments (2)

svn.diff (4.1 KB) - added by nikl@… 9 years ago.
svn diff of the changed files (1.1 KB) - added by nikl@… 9 years ago.
i had put this is in django/utils/

Download all attachments as: .zip

Change History (7)

comment:1 Changed 9 years ago by nikl@…

  • Cc nikl@… added
  • Keywords modpython md5 session added

the topic has been brought up on the mailinglists, e.g.:

I'd like to propose that the hashing algorithm should be put somewhere else with the possibility to set the preferred hashing algorithm generally - since this is used in this several situations (sessions, postdata, comments,..). possibly something along the lines of the attached patch?

Changed 9 years ago by nikl@…

svn diff of the changed files

Changed 9 years ago by nikl@…

i had put this is in django/utils/

comment:2 Changed 9 years ago by nikl@…

for anybody who's also experiencing this problem, Alain Tesio mentioned
another odd factor and its workaround on the modpy-mailinglist:

comment:3 Changed 9 years ago by mountainpaul

I had the same problem, and a similar solution, instead of dumping the md5 I just test to see if it is working properly by

if ('testencrypt').hexdigest()!='17500f56515d37cd65a68aca1b4679a6')

If it fails then I use sha, if it passes I use md5.

comment:4 Changed 9 years ago by SmileyChris

  • Triage Stage changed from Unreviewed to Design decision needed

From nikl's comment, this looks like it's caused by another library being installed: libmhash2, not a Django problem.

Still, if it's a problem then perhaps we should have a work around?

comment:5 Changed 8 years ago by ubernostrum

  • Resolution set to invalid
  • Status changed from new to closed

Since this appears to be caused by a third-party library breaking things that are out of our control, I'm going to mark invalid.

Note: See TracTickets for help on using tickets.
Back to Top