Hello, I'm requesting someone please fix the code to the sessions module to make Django secure. Currently Django is vulnerable to session hijacking. Even though the length of the keys are long, a brute force attack would not be difficult to gain access to a site until they get a valid item in the page they're trying to access. Giving the client two keys makes a site more secure to a point. Users who don't use a secure connection over SSL are still at risk since packets can be sniffed, however administrators are expected to force logged in users to use a secure connection.
1) People have been using this exploit for years http://www.theregister.co.uk/2005/06/08/hotmail_hack/ 2) This means anyone who runs Django and uses the default sessions module is running an insecure site by design. There is only 1 key to crack, if the site is a medical database, then the site would be a target. I do plan to be using Django in a medical environment, and am rather disgusted at the current state because the ticket was opened 11 months ago. http://code.djangoproject.com/ticket/3285 3) Why is it taking so long to look at needed features and insecurities like this? My example patch took 8 months for someone to implement and commit to trunk. My recommendation is to incorporate code in the default session module which is included in Django. http://code.google.com/p/django-signedcookies/ David Ross --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
