Browse files

Fixed #20444 -- Cookie-based sessions does not include a remote code …

  • Loading branch information...
1 parent 3634948 commit d5ce2ff5e485bf94fcade340bc803ba4671bd95a @erikr erikr committed with aaugustin May 18, 2013
Showing with 11 additions and 0 deletions.
  1. +11 −0 docs/topics/http/sessions.txt
@@ -125,6 +125,17 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
+ **If the :setting:`SECRET_KEY` is not kept secret, this can lead to
+ arbitrary remote code execution.**
+ An attacker in possession of the :setting:`SECRET_KEY` can not only
+ generate falsified session data, which your site will trust, but also
+ remotely execute arbitrary code, as the data is serialized using pickle.
+ If you use cookie-based sessions, pay extra care that your secret key is
+ always kept completely secret, for any system which might be remotely
+ accessible.
**The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client.

0 comments on commit d5ce2ff

Please sign in to comment.