> Den 22. sep. 2016 kl. 13.38 skrev Alex Gaynor <alex.gay...@gmail.com>:
> 
> If Django were a different framework, I'd probably think this was a 
> reasonable idea. However, Django's ORM is _incredibly_ good at deterring SQL 
> injection. In many many years of using and reviewing Django applications, SQL 
> injection is vanishingly rare in my experience; therefore I think this adds 
> complexity for limited gain. Another relevant factor is that this is only 
> applicable to the database sessions backend.

The attacker would only need to read access for this to work, not write access. 
That could possibly be achieved that even without SQL injection. If the 
attacker can just put another person's session ID in her cookie, then session 
IDs are basically passwords. Passwords should not be stored clear-text. The 
only difference is that session IDs are more short-lived than passwords.

It's the same issue with API key authentication for REST APIs. Not many people 
remember to hash the keys before storing them in the DB.

If the attacker gains write access to the DB, then you're doomed anyway, hashes 
or not. The attacker just makes up her own session ID, hashes it and writes it 
to the database. Or makes up her own password and writes it to the Users table.

Erik

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/54777EE1-707B-4794-9854-394C5892587B%40cederstrand.dk.
For more options, visit https://groups.google.com/d/optout.

Reply via email to