On 12/12/06, Rob Hudson <[EMAIL PROTECTED]> wrote:
>
> I remember reading many articles on PHP sessions and about session
> hijacking, etc. Has Django's sessions been looked at from this
> perspective or can Django's sessions have similar issues?
Django does use an algorithm that generates diffi
On 12/12/06, Benjamin Slavin <[EMAIL PROTECTED]> wrote:
> Sessions are based on data passed from the client to the server.
> Because this data can easily be forged, session impersonation is
> possible. That's where picking hard-to-guess identifiers comes in.
> If you have a secure random session
Benjamin Slavin wrote:
> Django does use an algorithm that generates difficult-to-guess session
> IDs; however, no current implementation of sessions (by anyone) is
> completely safe.
I've verified this, actually, with WebScarab, retrieving 1000
consecutive session ids and visualizing them on a p
* Benjamin Slavin ([EMAIL PROTECTED]) wrote:
> The get_new_session_key method would probably be a good place to
> start, though I have little familiarity with the interface to the
> session middleware. I'm swamped right now, so I'll look into it in
> the next few days. If you need any assistance
On 12/12/06, Rob Hudson <[EMAIL PROTECTED]> wrote:
>
> * Benjamin Slavin ([EMAIL PROTECTED]) wrote:
> > I think auto purge would need further discussion to figure out the
> > best solution.
Auto-purge should be optional, in any case. I like my session table
the way it is, thanks. :)
> Is there
Rob Hudson schrieb:
> * Benjamin Slavin ([EMAIL PROTECTED]) wrote:
>> I've never liked the idea of randomly slowing down requests to perform
>> housekeeping tasks. It's probably acceptable in low-volume sites, but
>> for high-traffic sites with a cluster of web servers a dedicated
>> process more
Michael Radziej wrote:
> > To go with the 80/20 rule, I'd imagine that for 80% of Django developers
> > something like this would work pretty well and be useful. [...]
>
> I don't think so.
>
> Isn't session cleanup a natural candidate for a cron job (and
> whatever is the equivalent in the Micros
On 12/12/06, Jeremy Dunck <[EMAIL PROTECTED]> wrote:
> With sparse session keys, the only reasonable attack I can see is MITM
> or replay. And no fingerprinting based on the request will help that,
> since all the headers are in the clear.
Yup. If you're really concerned about those types of att
On 12/12/06, Rob Hudson <[EMAIL PROTECTED]> wrote:
> > I agree that this would be a valuable addition. Perhaps you could
> > submit a patch... if you're not comfortable doing that, perhaps
> > someone else will.
>
> I'd be happy to attempt it. In looking at the code it seems like you
> could cal
On 12/12/06, Jeremy Dunck <[EMAIL PROTECTED]> wrote:
> On 12/12/06, Rob Hudson <[EMAIL PROTECTED]> wrote:
> > Is there a way to make this happen *after* all the content was sent to
> > the user and the HTML tag closed?
>
> I don't think so, since the request/response cycle is how Django
> works, a
10 matches
Mail list logo
