1
0
mirror of https://github.com/django/django.git synced 2024-12-22 17:16:24 +00:00

Clarified session replay attack differences with cookie backend.

This commit is contained in:
Tim Graham 2013-10-02 10:15:18 -04:00
parent 978e1351a6
commit 00a0d3de02

View File

@ -163,8 +163,12 @@ and the :setting:`SECRET_KEY` setting.
integrity of the data (that it is all there and correct), it cannot
guarantee freshness i.e. that you are being sent back the last thing you
sent to the client. This means that for some uses of session data, the
cookie backend might open you up to `replay attacks`_. Cookies will only be
detected as 'stale' if they are older than your
cookie backend might open you up to `replay attacks`_. Unlike other session
backends which keep a server-side record of each session and invalidate it
when a user logs out, cookie-based sessions are not invalidated when a user
logs out. Thus if an attacker steals a user's cookie, he can use that
cookie to login as that user even if the user logs out. Cookies will only
be detected as 'stale' if they are older than your
:setting:`SESSION_COOKIE_AGE`.
**Performance**