You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using beaker with pyramid_beaker in a pyramid application. I found out that I could forge a cookie session_id with the simple value ‘123’ and make it valid once I log in to the application.
Here is the beaker configuration set in the development.ini of the pyramid application:
This is true, I was not using session.secret. Using both session.secret and the encryption options (encrypt_key and validate_key) prevent me to forge a cookie with value 123 and then fix the session fixation attack problem.
So, is the beaker documentation clear or should I use session.secret eventually?
The text was updated successfully, but these errors were encountered:
To load a cookie beaker knows two classes: SimpleCookie and a their special SignedCookie. Now, if you use the normal session, i.e. not a pure cookie one, then it uses the secret to validate the cookie signature. Otherwise it uses the validate_key. In your case you chose a combination of validate_key and the normal server-side session.
I think this is a security flaw with beaker: It should not be that the two different types use different parameters for their signature. Instead, both should either use the secret or validate_key for the validation of a signed cookie. But even if this can't be fixed for compatibility reasons, then beaker needs to be clear on this: The note telling you to drop the secret refer specifically to the encrypted cookie which seems to be only relevant to client-side cookies.
I am using beaker with pyramid_beaker in a pyramid application. I found out that I could forge a cookie session_id with the simple value ‘123’ and make it valid once I log in to the application.
Here is the beaker configuration set in the development.ini of the pyramid application:
You can notice there is no
session.secret
set because I followed the recomendation in the documentation: "These options should then be used instead of the secret option listed above." (http://beaker.readthedocs.org/en/latest/configuration.html#encryption-options)And here is the login form view:
Now, my problem is that my application might be vulnerable to a session fixation attack (See http://security.stackexchange.com/a/35097/25414).
I asked how to fix that on StackOverflow (http://stackoverflow.com/q/16303414/1919510) and I received an interesting comment:
"If the cookie value isn't signed then you aren't setting session.secret in your ini settings."
(http://stackoverflow.com/questions/16303414/how-to-prevent-user-to-set-the-value-of-the-session-id-cookie-used-by-pyramid-be#comment23379513_16309210)
This is true, I was not using
session.secret
. Using bothsession.secret
and the encryption options (encrypt_key
andvalidate_key
) prevent me to forge a cookie with value 123 and then fix the session fixation attack problem.So, is the beaker documentation clear or should I use session.secret eventually?
The text was updated successfully, but these errors were encountered: