Full Disclosure mailing list archives
Re: [Django] Cookie-based session storage session invalidation issue
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 3 Oct 2013 17:46:37 -0400
Again, the behavior is a surprise to most developers.
If it surprises developers, then what do you think it does to unsuspecting users? It's akin to a builder installing a lock on a house that does not work, and the builder not telling the home owner. Its already game over, whether its documented or not. Perhaps the Django developers should take time to read Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's Security Engineering (www.cl.cam.ac.uk/~rja14/book.html). Jeff On Thu, Oct 3, 2013 at 10:39 AM, G. S. McNamara <main () gsmcnamara com> wrote:
Hi Paul, The documentation you linked to was updated yesterday to reflect the issue I brought up with cookie-stored sessions. Again, the behavior is a surprise to most developers. Thanks! G. S. McNamara On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul () mcmillan ws> wrote:G. S. McNamara: Perhaps next you will disclose that if an attacker obtains a user's password, they can log in as that user. Seriously, "full disclosure" of well documented behavior is not particularly impressive. https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions Cheers, -PaulFrom: "G. S. McNamara" <main () gsmcnamara com> To: <full-disclosure () lists grok org uk> Subject: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue FD, I’m back! Django versions 1.4 – 1.7 offer a cookie-based session storage option (not the default > this time) that is afflicted by the same issue I posted about previously concerning Ruby > on Rails: If you obtain a user’s cookie, even if they log out, you can still log in as them. The short write-up is here, if needed: http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/ Cheers,
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 02)
- <Possible follow-ups>
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Jeffrey Walton (Oct 03)