Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Added warning about replay attacks when using the cookies backend for…

… sessions.

The paragraph about encryption was reworded for clarity.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 6205a348f084cbab8d2953accecfc04b9fc75543 1 parent 87ffc6a
Luke Plant spookylukey authored
Showing with 24 additions and 8 deletions.
  1. +24 −8 docs/topics/http/sessions.txt
32 docs/topics/http/sessions.txt
View
@@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
- **The session data is signed but not encrypted!**
+ **The session data is signed but not encrypted**
- When using the cookies backend the session data can be read out
- and will be invalidated when being tampered with. The same invalidation
- happens if the client storing the cookie (e.g. your user's browser)
- can't store all of the session cookie and drops data. Even though
- Django compresses the data, it's still entirely possible to exceed
- the `common limit of 4096 bytes`_ per cookie.
+ When using the cookies backend the session data can be read by the client.
- Also, the size of a cookie can have an impact on the `speed of your site`_.
+ A MAC (Message Authentication Code) is used to protect the data against
+ changes by the client, so that the session data will be invalidated when being
+ tampered with. The same invalidation happens if the client storing the
+ cookie (e.g. your user's browser) can't store all of the session cookie and
+ drops data. Even though Django compresses the data, it's still entirely
+ possible to exceed the `common limit of 4096 bytes`_ per cookie.
+
+ **No freshness guarantee**
+
+ Note also that while the MAC can guarantee the authenticity of the data
+ (that it was generated by your site, and not someone else), and the
+ integrity of the data (that it is all there and correct), it cannot
+ guarantee freshness i.e. that you are being sent back the last thing you
+ sent to the client. This means that for some uses of session data, the
+ cookie backend might open you up to `replay attacks`_. Cookies will only
+ detected as 'stale' if they are older than your
+ :setting:`SESSION_COOKIE_AGE`.
+
+ **Performance**
+
+ Finally, the size of a cookie can have an impact on the `speed of your site`_.
.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
+.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack
.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
Using sessions in views
Please sign in to comment.
Something went wrong with that request. Please try again.