oss-sec mailing list archives
Re: A note on cookie based sessions
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Fri, 04 Oct 2013 11:27:01 +0600
Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So this has been published: http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/ http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/ Basically it boils down to this: cookie based session handling where you don't store state data on the backend, but instead have a cookie, possibly with an expiration time coded into it can be used in replay attacks.
I am very much surprised that Flask is not mentioned at all in your e-mail. Its default session handler uses only signed cookies, and they can't even change the default because they don't have the DB layer or any other persistent storage out of the box.
Flask site is down at the moment, so no link to the documentation. But the problem is known, see this link for example:
http://stackoverflow.com/questions/13735024/invalidate-an-old-session-in-flask -- Alexander E. Patrakov -- Alexander E. Patrakov
Current thread:
- A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Alexander E. Patrakov (Oct 03)
- Re: A note on cookie based sessions Donald Stufft (Oct 03)
- Re: A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Andri Möll (Oct 04)
- Re: A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Florian Weimer (Oct 03)
- Re: A note on cookie based sessions cve-assign (Oct 04)
- <Possible follow-ups>
- Re: A note on cookie based sessions Igor Sverkos (Oct 04)