Benjamin Slavin wrote: > Django does use an algorithm that generates difficult-to-guess session > IDs; however, no current implementation of sessions (by anyone) is > completely safe.
I've verified this, actually, with WebScarab, retrieving 1000 consecutive session ids and visualizing them on a plot of id vs time. It was pretty scattered, which is good. I can post the image if anyone would like to see. I did this against Django 0.95. > I haven't seen any proposals for improved session security that are > effective, not easily overcome, and work with upstream proxies. I'm starting to see that this is the case after reading "Session Management" at the OWASP site: http://www.owasp.org/index.php/Session_Management > > He also raises some points on why it might be good to provide an API to > > the developer to regenerate IDs, or to regenerate a new sessionid in > > certain scenarios. > > I agree that this would be a valuable addition. Perhaps you could > submit a patch... if you're not comfortable doing that, perhaps > someone else will. I'd be happy to attempt it. In looking at the code it seems like you could call the SessionManager's get_new_session_key. But I'm not sure what that would look like at the view level where I think it would be most useful. Other improvements to sessions I can think of (and maybe there are ways to do this already): * Add in a last authenticated date stamp to the model so developers can re-authenticate after a certain period of time if a user tries to access sensitive data. I see this a lot on sites where you are still logged in, but if you want to do anything significant you a required to re-authenticate if it has been more than a specified time since last authentication. * An auto purge algorithm that clears expired sessions from the django_session table. I'm thinking something along the lines of PHP's garbage collection settings[1] so one can specify a probability that the session garbage collection routine is called. For low traffic sites you may want a 1 in 20 chance. For high traffic sites you may want a 1 in 1000 request chance. It could be something like: # A tuple signifying an X in Y chance as (X, Y) settings.SESSION_CLEANUP_PROBABILITY = (1, 20) Then the session code would be something like: def trigger_cleanup(): numerator, denominator = settings.SESSION_CLEANUP_PROBABILITY return random.randint(1, denominator) <= numerator if trigger_cleanup(): # call session cleanup code [1] http://www.php.net/manual/en/ref.session.php#ini.session.gc-divisor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
