[
https://issues.apache.org/jira/browse/MODPYTHON-254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Grisha Trubetskoy updated MODPYTHON-254:
----------------------------------------
Component/s: (was: session)
core
Description: Cookies should generate a random salt when signing so that
cookies are not vulnerable to dictionary attacks. Also cookies use default
hmac, which in turn defaults to MD5 signatures. We should probably move on to
SHA given how weak MD5 has been shown to be. (was: Sessions should generate a
random salt when signing so that cookies are not vulnerable to dictionary
attacks. In general storage of any data in signed cookies should be discouraged
in favor of storing the session locally and only passing on a session id to the
browser. Also sessions use default hmac, which in turn defaults to MD5
signatures. We should probably move on to SHA given how weak MD5 has been shown
to be.)
Summary: Signed Cookies should use a salt and not rely on md5. (was:
Signed Sessions should use a salt and not rely on md5.)
> Signed Cookies should use a salt and not rely on md5.
> -----------------------------------------------------
>
> Key: MODPYTHON-254
> URL: https://issues.apache.org/jira/browse/MODPYTHON-254
> Project: mod_python
> Issue Type: Bug
> Components: core
> Affects Versions: 3.3.1
> Reporter: Grisha Trubetskoy
>
> Cookies should generate a random salt when signing so that cookies are not
> vulnerable to dictionary attacks. Also cookies use default hmac, which in
> turn defaults to MD5 signatures. We should probably move on to SHA given how
> weak MD5 has been shown to be.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
