For what it's worth, I'm suspicious of threat models which begin with "assume the DB has already been significantly compromised..." simply because there's so much someone can do if they gain even read access that it's not worth expending a ton of effort hardening Django against those cases.
Similarly, "assume a SQL injection vulnerability already exists" doesn't do much for me because for something that lives and dies by the DB, that's very close to "assume some remote-root vuln already exists and has been exploited". So personally I'd like to hear some more about why this is seen as necessary before I'd endorse work to actually implement it. On Thu, Sep 22, 2016 at 5:00 AM, Rigel <z...@zedr.com> wrote: > On Thu, Sep 22, 2016 at 12:31 PM, Curtis Maloney <cur...@tinbrain.net> > wrote: > > They're just a random string, I don't see how turning them into another > > random string will help? Or do you mean to set the original string in > the > > cookie only, and hash them for the key, and hash them _every_ _time_ you > > look up the session? > > I'm an attacker and I've found a way to read the session database > table. I can now impersonate user Bob. > > If the session-ids were hashed, I would need still need to know's > Bob's session-id. Django woudn't store it anywhere on the database. > > Rigel. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/django-developers/CAD9P0Jr8uKogoeUz%3Dx1CHpC0hKQ4qyt5DVQo7vx- > rZka7pYVyQ%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg-NetD5GcA%2BjTkw0HGA0Hf8UfV4MDGRMpbSF5QT4t8aUg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
