Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added warning about replay attacks when using the cookies backend for…

… sessions.

The paragraph about encryption was reworded for clarity.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 6205a348f084cbab8d2953accecfc04b9fc75543 1 parent 87ffc6a
@spookylukey spookylukey authored
Showing with 24 additions and 8 deletions.
  1. +24 −8 docs/topics/http/sessions.txt
View
32 docs/topics/http/sessions.txt
@@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
- **The session data is signed but not encrypted!**
+ **The session data is signed but not encrypted**
- When using the cookies backend the session data can be read out
- and will be invalidated when being tampered with. The same invalidation
- happens if the client storing the cookie (e.g. your user's browser)
- can't store all of the session cookie and drops data. Even though
- Django compresses the data, it's still entirely possible to exceed
- the `common limit of 4096 bytes`_ per cookie.
+ When using the cookies backend the session data can be read by the client.
- Also, the size of a cookie can have an impact on the `speed of your site`_.
+ A MAC (Message Authentication Code) is used to protect the data against
+ changes by the client, so that the session data will be invalidated when being
+ tampered with. The same invalidation happens if the client storing the
+ cookie (e.g. your user's browser) can't store all of the session cookie and
+ drops data. Even though Django compresses the data, it's still entirely
+ possible to exceed the `common limit of 4096 bytes`_ per cookie.
+
+ **No freshness guarantee**
+
+ Note also that while the MAC can guarantee the authenticity of the data
+ (that it was generated by your site, and not someone else), and the
+ integrity of the data (that it is all there and correct), it cannot
+ guarantee freshness i.e. that you are being sent back the last thing you
+ sent to the client. This means that for some uses of session data, the
+ cookie backend might open you up to `replay attacks`_. Cookies will only
+ detected as 'stale' if they are older than your
+ :setting:`SESSION_COOKIE_AGE`.
+
+ **Performance**
+
+ Finally, the size of a cookie can have an impact on the `speed of your site`_.
.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
+.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack
.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
Using sessions in views
Please sign in to comment.
Something went wrong with that request. Please try again.