Commit Graph

25 Commits

Author SHA1 Message Date
Alex Gaynor 6ca7c9c495 Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:13:24 +00:00
Carl Meyer b8a8066ac4 Fixed duplicate-named contrib.sessions tests, and removed unused import (cleanup from doctest conversion).
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-31 18:37:28 +00:00
Russell Keith-Magee 993612c84d Fixed #15026 -- Added cleanup to the invalid key session tests; when using Memcached as a cache backend, the cache-backed session backends would fail on the second run due to leftover cache artefacts. Thanks to jsdalton for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15235 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-17 14:03:19 +00:00
Russell Keith-Magee 78be884ea7 Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-26 13:30:50 +00:00
Luke Plant 0324151bec Fixed #14685 - incompatible code in contrib.sessions.models
Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14562 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 22:23:46 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 121d2e3678 Fixed #12991 -- Added unittest2 support. Thanks to PaulM for the draft patch, and to Luke, Karen, Justin, Alex, Łukasz Rekucki, and Chuck Harmston for their help testing and reviewing the final patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:55:17 +00:00
Russell Keith-Magee 597e03cd74 Fixed #14096 -- Corrected Python 2.4 syntax issue. Thanks to PaulM for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13579 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-14 12:11:02 +00:00
Luke Plant 5eece23296 Converted sessions tests from doctest to unittest.
Also made the FileSession backend consistent with other backends in one
corner case uncovered by the conversion, namely that the backend should
create a new key if the one passed in is invalid.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13482 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-05 11:49:58 +00:00
Malcolm Tredinnick d77236960a Fixed #9548 -- Correctly detect existence of empty sessions with cache backend.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9934 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-01 07:32:41 +00:00
Jacob Kaplan-Moss 299e1e814f Fixed #6791: added a write-through cache session backend: session data is written through the cache to the database, but read from the cache for speed. Thanks to jhenry, mcroydon, and jdunck.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9727 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-10 22:18:14 +00:00
Jacob Kaplan-Moss b21ea0a836 More be-nice-to-the-buildbot: be better about cleaning up files created by the cache/session tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9224 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-10 21:41:12 +00:00
Malcolm Tredinnick c8c159cbba When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.

This is the final piece of the session key handling changes.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 13:54:53 +00:00
Malcolm Tredinnick 54f9a98713 Fixed #8351 -- Fixed the returned value when we attempt to load a cache-backed session object that doesn't alreayd exist.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8410 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-16 15:54:36 +00:00
Malcolm Tredinnick 9e423b51e3 Fixed #8314 -- Fixed an infinite loop caused when submitting a session key (via
a cookie) with no corresponding entry in the database.

This only affected the database backend, but I've applied the same fix to all
three backends for robustness.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 19:43:08 +00:00
Malcolm Tredinnick 5e8efa9a60 Implemented a flush() method on sessions that cleans out the session and
regenerates the key. Used to ensure the caller gets a fresh session at logout,
for example.

Based on a patch from mrts. Refs #7515.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8342 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:46 +00:00
Malcolm Tredinnick 31ec68c5d9 Added a clear() method to sessions. Patch from mrts. Refs #7515.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8341 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 03:57:30 +00:00
Russell Keith-Magee dc7f21daf7 Fixed #7429 -- Modified the Session base class a little more dictionary-like by adding update(), has_key(), values(), and iterator access methods. Thanks to Jeremy Dunck for the suggestion and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7687 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-18 12:07:46 +00:00
Jacob Kaplan-Moss 8d4f79a799 Fixed #2548: added get/set_expiry methods to session objects. Thanks, Amit Upadhyay and SmileyChris.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@7586 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-06-07 20:28:06 +00:00
Jacob Kaplan-Moss 35921e570b Added a test for [6889]
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6890 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-04 20:29:43 +00:00
Malcolm Tredinnick 49da9ab57e Fixed #6087 -- Added setdefault() support to the Session object. Thanks, Ben
Slavin.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6831 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-12-02 15:27:29 +00:00
Malcolm Tredinnick 4c0d8d882d Fixed #4729 -- Restored functionality to the Session class so that popping a
value marks it as modified. This was accidentally lost in the changes in
[6333]. Thanks, __hawkeye__.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@6558 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-10-20 10:12:59 +00:00
Jacob Kaplan-Moss bcf7e9a9fe Fixed #2066: session data can now be stored in the cache or on the filesystem. This should be fully backwards-compatible (the database cache store is still the default). A big thanks to John D'Agostino for the bulk of this code.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@6333 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-09-15 21:29:14 +00:00
Adrian Holovaty f9a592d99d Fixed #4729 -- SessionWrapper.pop now sets modified flag if necessary. Thanks, Ben Slavin, SmileyChris and Collin Grady
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5592 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-07-03 15:02:40 +00:00
Malcolm Tredinnick 4c53116144 Fixed #4338 -- Added pop() method to SessionWrapper. Thanks, Gary Wilson.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@5306 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2007-05-21 04:03:53 +00:00