p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added warning about replay attacks when using the cookies backend for sessions. 

The paragraph about encryption was reworded for clarity.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-10-17 15:43:24 +00:00
parent 87ffc6a6c2
commit 6205a348f0
1 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
docs/topics/http/sessions.txt
View File

@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting.
.. warning:: .. warning::
**The session data is signed but not encrypted!** **The session data is signed but not encrypted**
When using the cookies backend the session data can be read out When using the cookies backend the session data can be read by the client.
and will be invalidated when being tampered with. The same invalidation
happens if the client storing the cookie (e.g. your user's browser)
can't store all of the session cookie and drops data. Even though
Django compresses the data, it's still entirely possible to exceed
the `common limit of 4096 bytes`_ per cookie.
Also, the size of a cookie can have an impact on the `speed of your site`_. A MAC (Message Authentication Code) is used to protect the data against
changes by the client, so that the session data will be invalidated when being
tampered with. The same invalidation happens if the client storing the
cookie (e.g. your user's browser) can't store all of the session cookie and
drops data. Even though Django compresses the data, it's still entirely
possible to exceed the `common limit of 4096 bytes`_ per cookie.
**No freshness guarantee**
Note also that while the MAC can guarantee the authenticity of the data
(that it was generated by your site, and not someone else), and the
integrity of the data (that it is all there and correct), it cannot
guarantee freshness i.e. that you are being sent back the last thing you
sent to the client. This means that for some uses of session data, the
cookie backend might open you up to `replay attacks`_. Cookies will only
detected as 'stale' if they are older than your
:setting:`SESSION_COOKIE_AGE`.
**Performance**
Finally, the size of a cookie can have an impact on the `speed of your site`_.
.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3 .. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack
.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/ .. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
Using sessions in views Using sessions in views