Hi Paul, The documentation you linked to was updated yesterday to reflect the issue I brought up with cookie-stored sessions.
Again, the behavior is a surprise to most developers. Thanks! G. S. McNamara On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <[email protected]> wrote: > G. S. McNamara: > > Perhaps next you will disclose that if an attacker obtains a user's > password, they can log in as that user. Seriously, "full disclosure" > of well documented behavior is not particularly impressive. > > > https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions > > Cheers, > -Paul > > > From: "G. S. McNamara" <[email protected]> > > To: <[email protected]> > > Subject: [Full-disclosure] [Django] Cookie-based session storage session > invalidation issue > > > > FD, > > > > I’m back! > > > > Django versions 1.4 – 1.7 offer a cookie-based session storage option > (not the default > this time) that is afflicted by the same issue I posted > about previously concerning Ruby > on Rails: > > > > If you obtain a user’s cookie, even if they log out, you can still log > in as them. > > > > The short write-up is here, if needed: > http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/ > > > > Cheers, > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
