Full Disclosure mailing list archives
Re: [Django] Cookie-based session storage session invalidation issue
From: "G. S. McNamara" <main () gsmcnamara com>
Date: Thu, 3 Oct 2013 10:39:39 -0400
Hi Paul, The documentation you linked to was updated yesterday to reflect the issue I brought up with cookie-stored sessions. Again, the behavior is a surprise to most developers. Thanks! G. S. McNamara On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul () mcmillan ws> wrote:
G. S. McNamara: Perhaps next you will disclose that if an attacker obtains a user's password, they can log in as that user. Seriously, "full disclosure" of well documented behavior is not particularly impressive. https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions Cheers, -PaulFrom: "G. S. McNamara" <main () gsmcnamara com> To: <full-disclosure () lists grok org uk> Subject: [Full-disclosure] [Django] Cookie-based session storage sessioninvalidation issueFD, I’m back! Django versions 1.4 – 1.7 offer a cookie-based session storage option(not the default > this time) that is afflicted by the same issue I posted about previously concerning Ruby > on Rails:If you obtain a user’s cookie, even if they log out, you can still login as them.The short write-up is here, if needed:http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/Cheers,_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 02)
- <Possible follow-ups>
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
- Re: [Django] Cookie-based session storage session invalidation issue Jeffrey Walton (Oct 03)