Opened 16 years ago

Closed 16 years ago

#7418 closed (worksforme)

session middleware claims user tampered with session cookie

Reported by: Michael Soulier <msoulier@…> Owned by: nobody
Component: contrib.sessions Version: 0.96
Severity: Keywords:
Cc: spage@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I am using the latest stable release of Django, 0.96, on CentOS Linux 4.6 with PostgreSQL postgresql-7.4.13-2.RHEL4.1.

I have had problems maintaining session persistence so I dropped some debug code into the session middleware, and found this:

INFO:django-teleworker:Session key is f26b6104bc3d7fa04311857265c3d3c5
session was in cache
failed to pull session from db, making new one
err = User tampered with session cookie.

django.contrib.sessions.models.Session.get_decoded is raising a SuspiciousOperation exception. It's not clear why.

>>> from django.contrib.sessions.models import Session
>>> q = Session.objects.all()
>>> for s in q:
...    print s.get_decoded()
...
Traceback (most recent call last):
  File "<console>", line 2, in ?
  File "/var/tmp/django-0.96.2-root/usr/lib/python2.3/site-packages/django/contrib/sessions/models.py", line 82, in get_decoded
SuspiciousOperation: User tampered with session cookie.

As things are I may have to remove this check to get things working. I looked in the trunk in SVN and this code doesn't seem any different.

Change History (5)

comment:1 by Michael Soulier <msoulier@…>, 16 years ago

tamper_check is a305745fe8814bc9d8c035287c6f6f67
DEBUG:django-teleworker:md5 output is 6d362166ae93f8326e90ef32a0b748ab

For some reason, the md5 sums aren't matching.

comment:3 by Michael Soulier <msoulier@…>, 16 years ago

I just patched the session middleware to use sha instead of md5, and it seems to be working.

comment:4 by spage@…, 16 years ago

Cc: spage@… added

Adding self to cc

comment:5 by Jacob, 16 years ago

Resolution: worksforme
Status: newclosed

I can't reproduce this on trunk. Please reopen if you have more details that help reproduce the problem.

Note: See TracTickets for help on using tickets.
Back to Top