mirror of
				https://github.com/django/django.git
				synced 2025-10-25 14:46:09 +00:00 
			
		
		
		
	Added warning about replay attacks when using the cookies backend for sessions.
The paragraph about encryption was reworded for clarity. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting. | |||||||
|  |  | ||||||
| .. warning:: | .. warning:: | ||||||
|  |  | ||||||
|     **The session data is signed but not encrypted!** |     **The session data is signed but not encrypted** | ||||||
|  |  | ||||||
|     When using the cookies backend the session data can be read out |     When using the cookies backend the session data can be read by the client. | ||||||
|     and will be invalidated when being tampered with. The same invalidation |  | ||||||
|     happens if the client storing the cookie (e.g. your user's browser) |  | ||||||
|     can't store all of the session cookie and drops data. Even though |  | ||||||
|     Django compresses the data, it's still entirely possible to exceed |  | ||||||
|     the `common limit of 4096 bytes`_ per cookie. |  | ||||||
|  |  | ||||||
|     Also, the size of a cookie can have an impact on the `speed of your site`_. |     A MAC (Message Authentication Code) is used to protect the data against | ||||||
|  |     changes by the client, so that the session data will be invalidated when being | ||||||
|  |     tampered with. The same invalidation happens if the client storing the | ||||||
|  |     cookie (e.g. your user's browser) can't store all of the session cookie and | ||||||
|  |     drops data. Even though Django compresses the data, it's still entirely | ||||||
|  |     possible to exceed the `common limit of 4096 bytes`_ per cookie. | ||||||
|  |  | ||||||
|  |     **No freshness guarantee** | ||||||
|  |  | ||||||
|  |     Note also that while the MAC can guarantee the authenticity of the data | ||||||
|  |     (that it was generated by your site, and not someone else), and the | ||||||
|  |     integrity of the data (that it is all there and correct), it cannot | ||||||
|  |     guarantee freshness i.e. that you are being sent back the last thing you | ||||||
|  |     sent to the client. This means that for some uses of session data, the | ||||||
|  |     cookie backend might open you up to `replay attacks`_. Cookies will only | ||||||
|  |     detected as 'stale' if they are older than your | ||||||
|  |     :setting:`SESSION_COOKIE_AGE`. | ||||||
|  |  | ||||||
|  |     **Performance** | ||||||
|  |  | ||||||
|  |     Finally, the size of a cookie can have an impact on the `speed of your site`_. | ||||||
|  |  | ||||||
| .. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3 | .. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3 | ||||||
|  | .. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack | ||||||
| .. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/ | .. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/ | ||||||
|  |  | ||||||
| Using sessions in views | Using sessions in views | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user