summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-10-02 10:15:18 -0400
committerTim Graham <timograham@gmail.com>2013-10-02 10:15:42 -0400
commit1f6306106005fbf9e9457d2857fb6898e07b122c (patch)
treed2b701a056caddbd2c197722cf50d332236f04dc /docs
parent7ebd10019d5c6c173825a41c5d435c80bee7b82a (diff)
[1.5.x] Clarified session replay attack differences with cookie backend.
Backport of 00a0d3de02 from master
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/http/sessions.txt8
1 files changed, 6 insertions, 2 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index 41155f16b3..6661266fb5 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -154,8 +154,12 @@ and the :setting:`SECRET_KEY` setting.
integrity of the data (that it is all there and correct), it cannot
guarantee freshness i.e. that you are being sent back the last thing you
sent to the client. This means that for some uses of session data, the
- cookie backend might open you up to `replay attacks`_. Cookies will only be
- detected as 'stale' if they are older than your
+ cookie backend might open you up to `replay attacks`_. Unlike other session
+ backends which keep a server-side record of each session and invalidate it
+ when a user logs out, cookie-based sessions are not invalidated when a user
+ logs out. Thus if an attacker steals a user's cookie, he can use that
+ cookie to login as that user even if the user logs out. Cookies will only
+ be detected as 'stale' if they are older than your
:setting:`SESSION_COOKIE_AGE`.
**Performance**