Hi Nikolai, On Friday, September 19, 2014 1:50:33 PM UTC+2, Nikolai Prokoschenko wrote: > > 1. Has there been some security audit in the past which confirmed that > session ID handling inside Django is not vulnerable to SQL injection > attacks? >
Nothing public that I am aware of, no. 2. Can I argue that Django's ORM is SQL injection safe (we are 99% > ORM-based)? > Yes, at least there is no known problem in any backend (shipped with Django). > 3. In general, is my assumption correct that I'd be vastly reducing > entropy if I implemented a session handler with different key generation? I > can't really analyze [3] for collisions probability, esp. since it's not > one of the usual suspects (MD5/SHA1/SHA256/etc.), but have a feeling that > anything I'd produce will have a much higher percentage. > Depending on how exactly you generate the key, you can be fine. So as an example: assuming you'd just have 0-9 and a-j and choose one item out of those every second step you'll have the same entropy as just choosing from 0-9 all the time, but once you choose from 0-9 & a-j every time you have a higher space. That said, if you increase the length enough, you can make up for it (though you'd have to check if Django has problems with longer session ids). Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/e7be322e-ad63-4c14-b63c-45b1d6284cc2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
