From 6205a348f084cbab8d2953accecfc04b9fc75543 Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Mon, 17 Oct 2011 15:43:24 +0000
Subject: [PATCH] Added warning about replay attacks when using the cookies
 backend for sessions.

The paragraph about encryption was reworded for clarity.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 docs/topics/http/sessions.txt | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index a2849ae6eb..0826310514 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting.
 
 .. warning::
 
-    **The session data is signed but not encrypted!**
+    **The session data is signed but not encrypted**
 
-    When using the cookies backend the session data can be read out
-    and will be invalidated when being tampered with. The same invalidation
-    happens if the client storing the cookie (e.g. your user's browser)
-    can't store all of the session cookie and drops data. Even though
-    Django compresses the data, it's still entirely possible to exceed
-    the `common limit of 4096 bytes`_ per cookie.
+    When using the cookies backend the session data can be read by the client.
 
-    Also, the size of a cookie can have an impact on the `speed of your site`_.
+    A MAC (Message Authentication Code) is used to protect the data against
+    changes by the client, so that the session data will be invalidated when being
+    tampered with. The same invalidation happens if the client storing the
+    cookie (e.g. your user's browser) can't store all of the session cookie and
+    drops data. Even though Django compresses the data, it's still entirely
+    possible to exceed the `common limit of 4096 bytes`_ per cookie.
+
+    **No freshness guarantee**
+
+    Note also that while the MAC can guarantee the authenticity of the data
+    (that it was generated by your site, and not someone else), and the
+    integrity of the data (that it is all there and correct), it cannot
+    guarantee freshness i.e. that you are being sent back the last thing you
+    sent to the client. This means that for some uses of session data, the
+    cookie backend might open you up to `replay attacks`_. Cookies will only
+    detected as 'stale' if they are older than your
+    :setting:`SESSION_COOKIE_AGE`.
+
+    **Performance**
+
+    Finally, the size of a cookie can have an impact on the `speed of your site`_.
 
 .. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
+.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack
 .. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
 
 Using sessions in views