Changes between Initial Version and Version 1 of Ticket #31412, comment 2
- Timestamp:
- Mar 31, 2020, 5:05:09 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #31412, comment 2
initial v1 1 Looking at [https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 Rack patch] I think this might have a bit of overlap with #21076 ([https://github.com/django/django/pull/8736 PR]). If session ID were hashed it wouldn't be possible to use timing attacks on the btree-index to statistically walk your way to a valid session ID. 1 Looking at [https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 Rack patch] I think this might have a bit of overlap with #21076 ([https://github.com/django/django/pull/8736 PR]). If session ID were hashed it wouldn't be possible to use timing attacks on the btree-index to statistically walk your way to a valid session ID. It might be time to revive that old PR.