Full Disclosure mailing list archives
Re: [Django] Cookie-based session storage session invalidation issue
From: Paul McMillan <paul () mcmillan ws>
Date: Thu, 3 Oct 2013 18:41:37 +0100
Here's the commit that added the warning 2 years ago to the 1.4 documentation: https://github.com/django/django/commit/6205a348f084cbab8d2953accecfc04b9fc75543 https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions Let me quote for you: "No freshness guarantee Note also that while the MAC can guarantee the authenticity of the data (that it was generated by your site, and not someone else), and the integrity of the data (that it is all there and correct), it cannot guarantee freshness i.e. that you are being sent back the last thing you sent to the client. This means that for some uses of session data, the cookie backend might open you up to replay attacks. Cookies will only be detected as ‘stale’ if they are older than your SESSION_COOKIE_AGE." While I agree that this might be unexpected behavior, I think it is not unreasonable to expect developers to read the large warning callout collocated with the feature they are enabling. Clearly it is too much to ask of security researchers, however, so that section was made even larger and more explicit. -Paul On Thu, Oct 3, 2013 at 3:39 PM, G. S. McNamara <main () gsmcnamara com> wrote:
Hi Paul, The documentation you linked to was updated yesterday to reflect the issue I brought up with cookie-stored sessions. Again, the behavior is a surprise to most developers. Thanks! G. S. McNamara On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul () mcmillan ws> wrote:G. S. McNamara: Perhaps next you will disclose that if an attacker obtains a user's password, they can log in as that user. Seriously, "full disclosure" of well documented behavior is not particularly impressive. https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions Cheers, -PaulFrom: "G. S. McNamara" <main () gsmcnamara com> To: <full-disclosure () lists grok org uk> Subject: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue FD, I’m back! Django versions 1.4 – 1.7 offer a cookie-based session storage option (not the default > this time) that is afflicted by the same issue I posted about previously concerning Ruby > on Rails: If you obtain a user’s cookie, even if they log out, you can still log in as them. The short write-up is here, if needed: http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/ Cheers,_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 02)
- <Possible follow-ups>
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Jeffrey Walton (Oct 03)