mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	[1.6.x] Clarified session replay attack differences with cookie backend.
Backport of 00a0d3de02 from master
			
			
This commit is contained in:
		| @@ -162,8 +162,12 @@ and the :setting:`SECRET_KEY` setting. | |||||||
|     integrity of the data (that it is all there and correct), it cannot |     integrity of the data (that it is all there and correct), it cannot | ||||||
|     guarantee freshness i.e. that you are being sent back the last thing you |     guarantee freshness i.e. that you are being sent back the last thing you | ||||||
|     sent to the client. This means that for some uses of session data, the |     sent to the client. This means that for some uses of session data, the | ||||||
|     cookie backend might open you up to `replay attacks`_. Cookies will only be |     cookie backend might open you up to `replay attacks`_. Unlike other session | ||||||
|     detected as 'stale' if they are older than your |     backends which keep a server-side record of each session and invalidate it | ||||||
|  |     when a user logs out, cookie-based sessions are not invalidated when a user | ||||||
|  |     logs out. Thus if an attacker steals a user's cookie, he can use that | ||||||
|  |     cookie to login as that user even if the user logs out. Cookies will only | ||||||
|  |     be detected as 'stale' if they are older than your | ||||||
|     :setting:`SESSION_COOKIE_AGE`. |     :setting:`SESSION_COOKIE_AGE`. | ||||||
|  |  | ||||||
|     **Performance** |     **Performance** | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user