[Django Code] #4531: SessionId collision - session takeover by accident

Mon, 11 Jun 2007 05:47:49 -0700 

#4531: SessionId collision - session takeover by accident
-----------------------------------------+----------------------------------
Reporter:  Frank Tegtmeyer <[EMAIL PROTECTED]>  |       Owner:  adrian          
 
  Status:  new                           |   Component:  Contrib apps     
 Version:  SVN                           |    Keywords:  sessionid session
   Stage:  Unreviewed                    |   Has_patch:  1                
-----------------------------------------+----------------------------------
 I just had an accidental session takeover at a clients web site.
 
 My session settings:
 {{{
 SESSION_COOKIE_SECURE = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_AGE = 70000
 }}}
 
 
 Environment:[[BR]]
 Python 2.5, Django SVN Revision: 5320, OpenBSD 4.1, lighttpd with FastCGI
 
 After checking the generation of the sessionid I found that there may be
 the following reasons (in combination):
 
  * very low traffic site (at the moment)
  * I had a very short session before logging in again, I used the logout
 link (admin interface).
  * no deletion of the session cookie when logging out (not sure about that
 but it would explain the behaviour)
  * five django processes, each having its own seeded random module
  * exclusive use of fixed data or determined data for the sessionid
 generation
 
 I think I reused my old sessionid by still having the cookie. Between
 logging
 out and logging in again another user got the same sessionid (because it
 was not in the database anymore). So I got an authenticated session from
 the
 other user.
 
 A patch is provided, maybe even the remote IP should be included in
 feeding md5.
 The session cookie should also be deleted when using a logout link.
 
 Regards, Frank

-- 
Ticket URL: <http://code.djangoproject.com/ticket/4531>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to