Browse files

[1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remo…

…te code execution-warning

Backport of d5ce2ff from master
  • Loading branch information...
1 parent cb2fee5 commit 2b750fff5653781f07e65a54a99e7da66361ec9e @erikr erikr committed with timgraham May 18, 2013
Showing with 11 additions and 0 deletions.
  1. +11 −0 docs/topics/http/sessions.txt
@@ -124,6 +124,17 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
+ **If the :setting:`SECRET_KEY` is not kept secret, this can lead to
+ arbitrary remote code execution.**
+ An attacker in possession of the :setting:`SECRET_KEY` can not only
+ generate falsified session data, which your site will trust, but also
+ remotely execute arbitrary code, as the data is serialized using pickle.
+ If you use cookie-based sessions, pay extra care that your secret key is
+ always kept completely secret, for any system which might be remotely
+ accessible.
**The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client.

0 comments on commit 2b750ff

Please sign in to comment.