summaryrefslogtreecommitdiff
path: root/docs/topics/http
diff options
context:
space:
mode:
authorErik Romijn <eromijn@solidlinks.nl>2013-05-18 16:35:39 +0200
committerTim Graham <timograham@gmail.com>2013-08-15 12:21:14 -0400
commit2b750fff5653781f07e65a54a99e7da66361ec9e (patch)
treeb566b14162e52307e0863030fc9b45f1ef87ce2d /docs/topics/http
parentcb2fee567fed40f076644e4bdce906225d2fd6a8 (diff)
[1.5.x] Fixed #20444 -- Cookie-based sessions does not include a remote code execution-warning
Backport of d5ce2ff5e4 from master
Diffstat (limited to 'docs/topics/http')
-rw-r--r--docs/topics/http/sessions.txt11
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index 03692fb1fd..0e6df4a076 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -124,6 +124,17 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
+ **If the :setting:`SECRET_KEY` is not kept secret, this can lead to
+ arbitrary remote code execution.**
+
+ An attacker in possession of the :setting:`SECRET_KEY` can not only
+ generate falsified session data, which your site will trust, but also
+ remotely execute arbitrary code, as the data is serialized using pickle.
+
+ If you use cookie-based sessions, pay extra care that your secret key is
+ always kept completely secret, for any system which might be remotely
+ accessible.
+
**The session data is signed but not encrypted**
When using the cookies backend the session data can be read by the client.