Re: [Django] Cookie-based session storage session invalidation issue

["G. S. McNamara" <main () gsmcnamara com>]

Hi Paul,

The documentation you linked to was updated yesterday to reflect the issue
I brought up with cookie-stored sessions.

Again, the behavior is a surprise to most developers.


Thanks!

G. S. McNamara


On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul () mcmillan ws> wrote:

> G. S. McNamara:
>
> Perhaps next you will disclose that if an attacker obtains a user's
> password, they can log in as that user. Seriously, "full disclosure"
> of well documented behavior is not particularly impressive.
>
>
> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>
> Cheers,
> -Paul
>
> > From: "G. S. McNamara" <main () gsmcnamara com>
> > To: <full-disclosure () lists grok org uk>
> > Subject: [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue
> > FD,
> >
> > I’m back!
> >
> > Django versions 1.4 – 1.7 offer a cookie-based session storage option
> (not the default > this time) that is afflicted by the same issue I posted
> about previously concerning Ruby > on Rails:
> > If you obtain a user’s cookie, even if they log out, you can still log
> in as them.
> > The short write-up is here, if needed:
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
> > Cheers,
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/