mirror of https://github.com/django/django.git
Added warning about replay attacks when using the cookies backend for sessions.
The paragraph about encryption was reworded for clarity. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant
parent
87ffc6a6c2
commit
6205a348f0
|
|
@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting.
|
|||
|
||||
.. warning::
|
||||
|
||||
**The session data is signed but not encrypted!**
|
||||
**The session data is signed but not encrypted**
|
||||
|
||||
When using the cookies backend the session data can be read out
|
||||
and will be invalidated when being tampered with. The same invalidation
|
||||
happens if the client storing the cookie (e.g. your user's browser)
|
||||
can't store all of the session cookie and drops data. Even though
|
||||
Django compresses the data, it's still entirely possible to exceed
|
||||
the `common limit of 4096 bytes`_ per cookie.
|
||||
When using the cookies backend the session data can be read by the client.
|
||||
|
||||
Also, the size of a cookie can have an impact on the `speed of your site`_.
|
||||
A MAC (Message Authentication Code) is used to protect the data against
|
||||
changes by the client, so that the session data will be invalidated when being
|
||||
tampered with. The same invalidation happens if the client storing the
|
||||
cookie (e.g. your user's browser) can't store all of the session cookie and
|
||||
drops data. Even though Django compresses the data, it's still entirely
|
||||
possible to exceed the `common limit of 4096 bytes`_ per cookie.
|
||||
|
||||
**No freshness guarantee**
|
||||
|
||||
Note also that while the MAC can guarantee the authenticity of the data
|
||||
(that it was generated by your site, and not someone else), and the
|
||||
integrity of the data (that it is all there and correct), it cannot
|
||||
guarantee freshness i.e. that you are being sent back the last thing you
|
||||
sent to the client. This means that for some uses of session data, the
|
||||
cookie backend might open you up to `replay attacks`_. Cookies will only
|
||||
detected as 'stale' if they are older than your
|
||||
:setting:`SESSION_COOKIE_AGE`.
|
||||
|
||||
**Performance**
|
||||
|
||||
Finally, the size of a cookie can have an impact on the `speed of your site`_.
|
||||
|
||||
.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
|
||||
.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack
|
||||
.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
|
||||
|
||||
Using sessions in views
|
||||
|
|
|
|||
Loading…
Reference in New Issue