Signed Sessions should use a salt and not rely on md5.
------------------------------------------------------
Key: MODPYTHON-254
URL: https://issues.apache.org/jira/browse/MODPYTHON-254
Project: mod_python
Issue Type: Bug
Components: session
Affects Versions: 3.3.1
Reporter: Grisha Trubetskoy
Sessions should generate a random salt when signing so that cookies are not
vulnerable to dictionary attacks. In general storage of any data in signed
cookies should be discouraged in favor of storing the session locally and only
passing on a session id to the browser. Also sessions use default hmac, which
in turn defaults to MD5 signatures. We should probably move on to SHA given how
weak MD5 has been shown to be.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
