Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remo…

…te code execution-warning

Backport of d5ce2ff from master
  • Loading branch information...
commit 2b750fff5653781f07e65a54a99e7da66361ec9e 1 parent cb2fee5
Erik Romijn erikr authored timgraham committed
Showing with 11 additions and 0 deletions.
  1. +11 −0 docs/topics/http/sessions.txt
11 docs/topics/http/sessions.txt
View
@@ -124,6 +124,17 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
+ **If the :setting:`SECRET_KEY` is not kept secret, this can lead to
+ arbitrary remote code execution.**
+
+ An attacker in possession of the :setting:`SECRET_KEY` can not only
+ generate falsified session data, which your site will trust, but also
+ remotely execute arbitrary code, as the data is serialized using pickle.
+
+ If you use cookie-based sessions, pay extra care that your secret key is
+ always kept completely secret, for any system which might be remotely
+ accessible.
+
**The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client.
Please sign in to comment.
Something went wrong with that request. Please try again.