#3507: sessions race condition
------------------------------------+---------------------------------------
Reporter: [EMAIL PROTECTED] | Owner: adrian
Status: new | Component: Contrib apps
Version: SVN | Keywords: sessions
Stage: Unreviewed | Has_patch: 0
------------------------------------+---------------------------------------
Regarding this piece of code in django/contrib/sessions/models.py:
{{{
while 1:
session_key = md5.new(str(random.randint(0, sys.maxint - 1)) +
str(random.randint(0, sys.maxint - 1)) + settings.SECRET_KEY).hexdigest()
try:
self.get(session_key=session_key)
except self.model.DoesNotExist:
break
return session_key
}}}
There is a very very small chance that a race condition exists between
finding a uniq session, and saving it; which would result in one user
ending up with a session owned by someone else. I know the chance is very
small, but I do worry about it. Maybe it would be possible to also include
remote_addr into the to be hashed string?
I also want to add that it would be nice to make a configuration option to
make it impossible to use a session from another remote_addr. I might be
to paranoid.
--
Ticket URL: <http://code.djangoproject.com/ticket/3507>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
