> Again, the behavior is a surprise to most developers. If it surprises developers, then what do you think it does to unsuspecting users?
It's akin to a builder installing a lock on a house that does not work, and the builder not telling the home owner. Its already game over, whether its documented or not. Perhaps the Django developers should take time to read Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's Security Engineering (www.cl.cam.ac.uk/~rja14/book.html). Jeff On Thu, Oct 3, 2013 at 10:39 AM, G. S. McNamara <[email protected]> wrote: > Hi Paul, > > The documentation you linked to was updated yesterday to reflect the issue I > brought up with cookie-stored sessions. > > Again, the behavior is a surprise to most developers. > > > Thanks! > > G. S. McNamara > > > On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <[email protected]> wrote: >> >> G. S. McNamara: >> >> Perhaps next you will disclose that if an attacker obtains a user's >> password, they can log in as that user. Seriously, "full disclosure" >> of well documented behavior is not particularly impressive. >> >> >> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions >> >> Cheers, >> -Paul >> >> > From: "G. S. McNamara" <[email protected]> >> > To: <[email protected]> >> > Subject: [Full-disclosure] [Django] Cookie-based session storage session >> > invalidation issue >> > >> > FD, >> > >> > I’m back! >> > >> > Django versions 1.4 – 1.7 offer a cookie-based session storage option >> > (not the default > this time) that is afflicted by the same issue I posted >> > about previously concerning Ruby > on Rails: >> > >> > If you obtain a user’s cookie, even if they log out, you can still log >> > in as them. >> > >> > The short write-up is here, if needed: >> > http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/ >> > >> > Cheers, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
