Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added a warning regarding session security and subdomains.

  • Loading branch information...
commit a3372f67cba4cffc2b0c40f006fe23f9bf31650f 1 parent 651bb73
Tim Graham authored September 25, 2013
30  docs/topics/http/sessions.txt
@@ -308,11 +308,17 @@ You can edit it multiple times.
308 308
       Returns either ``True`` or ``False``, depending on whether the user's
309 309
       session cookie will expire when the user's Web browser is closed.
310 310
 
311  
-    .. method:: SessionBase.clear_expired
  311
+    .. method:: clear_expired
312 312
 
313 313
       Removes expired sessions from the session store. This class method is
314 314
       called by :djadmin:`clearsessions`.
315 315
 
  316
+    .. method:: cycle_key
  317
+
  318
+      Creates a new session key while retaining the current session data.
  319
+      :func:`django.contrib.auth.login()` calls this method to mitigate against
  320
+      session fixation.
  321
+
316 322
 .. _session_serialization:
317 323
 
318 324
 Session serialization
@@ -503,7 +509,7 @@ An API is available to manipulate session data outside of a view::
503 509
     >>> s['last_login']
504 510
     1376587691
505 511
 
506  
-In order to prevent session fixation attacks, sessions keys that don't exist
  512
+In order to mitigate session fixation attacks, sessions keys that don't exist
507 513
 are regenerated::
508 514
 
509 515
     >>> from django.contrib.sessions.backends.db import SessionStore
@@ -644,6 +650,26 @@ behavior:
644 650
 * :setting:`SESSION_FILE_PATH`
645 651
 * :setting:`SESSION_SAVE_EVERY_REQUEST`
646 652
 
  653
+.. _topics-session-security:
  654
+
  655
+Session security
  656
+================
  657
+
  658
+Subdomains within a site are able to set cookies on the client for the whole
  659
+domain. This makes session fixation possible if all subdomains are not
  660
+controlled by trusted users (or, are at least unable to set cookies).
  661
+
  662
+For example, an attacker could log into ``good.example.com`` and get a valid
  663
+session for his account. If the attacker has control over ``bad.example.com``,
  664
+he can use it to send his session key to you since a subdomain is permitted
  665
+to set cookies on `*.example.com``. When you visit ``good.example.com``,
  666
+you'll be logged in as the attacker and might inadvertently enter your
  667
+sensitive personal data (e.g. credit card info) into the attackers account.
  668
+
  669
+Another possible attack would be if ``good.example.com`` sets its
  670
+:setting:`SESSION_COOKIE_DOMAIN` to ``".example.com"`` which would cause
  671
+session cookies from that site to be sent to ``bad.example.com``.
  672
+
647 673
 Technical details
648 674
 =================
649 675
 
7  docs/topics/security.txt
@@ -195,6 +195,13 @@ Additionally, as of 1.3.1, Django requires you to explicitly enable support for
195 195
 the ``X-Forwarded-Host`` header (via the :setting:`USE_X_FORWARDED_HOST`
196 196
 setting) if your configuration requires it.
197 197
 
  198
+Session security
  199
+================
  200
+
  201
+Similar to the :ref:`CSRF limitations <csrf-limitations>` requiring a site to
  202
+be deployed such that untrusted users don't have access to any subdomains,
  203
+:mod:`django.contrib.sessions` also has limitations. See :ref:`the session
  204
+topic guide section on security <topics-session-security>` for details.
198 205
 
199 206
 .. _additional-security-topics:
200 207
 

0 notes on commit a3372f6

Please sign in to comment.
Something went wrong with that request. Please try again.