Hello! The Django session framework stores session-ids in the database as plain-text. Unless I'm missing something, these ids could be vulnerable to SQL injection attacks, if any are discovered or if developers misuse features like extra(). This vulnerability could be mitigated if the session-ids were hashed with a secure cryptographic hash function, like SHA-256, before storing them or querying for them in the database.
This concern has recently been raised for Joomla! on the Full Disclosure mailing list: http://seclists.org/fulldisclosure/2016/Sep/50 What is your opinion on this matter? It could be fairly trivial to implement, with the only side effect of being computationally expensive. Still, security is more desirable than efficiency or performance. Rigel. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAD9P0Jr-pYSM%3DJkwiWoNg-BbfFbCxYW5ucbPy_dwssbiXS1d3Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
