summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2011-10-17 15:43:24 +0000
committerLuke Plant <L.Plant.98@cantab.net>2011-10-17 15:43:24 +0000
commit6205a348f084cbab8d2953accecfc04b9fc75543 (patch)
treeb7d2f379259e6a1368e45ab75e26eff59207f26e /docs
parent87ffc6a6c2475fcbf61b4f27b49152901ca041cc (diff)
Added warning about replay attacks when using the cookies backend for sessions.
The paragraph about encryption was reworded for clarity. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/http/sessions.txt32
1 files changed, 24 insertions, 8 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index a2849ae6eb..0826310514 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting.
.. warning::
- **The session data is signed but not encrypted!**
+ **The session data is signed but not encrypted**
- When using the cookies backend the session data can be read out
- and will be invalidated when being tampered with. The same invalidation
- happens if the client storing the cookie (e.g. your user's browser)
- can't store all of the session cookie and drops data. Even though
- Django compresses the data, it's still entirely possible to exceed
- the `common limit of 4096 bytes`_ per cookie.
+ When using the cookies backend the session data can be read by the client.
- Also, the size of a cookie can have an impact on the `speed of your site`_.
+ A MAC (Message Authentication Code) is used to protect the data against
+ changes by the client, so that the session data will be invalidated when being
+ tampered with. The same invalidation happens if the client storing the
+ cookie (e.g. your user's browser) can't store all of the session cookie and
+ drops data. Even though Django compresses the data, it's still entirely
+ possible to exceed the `common limit of 4096 bytes`_ per cookie.
+
+ **No freshness guarantee**
+
+ Note also that while the MAC can guarantee the authenticity of the data
+ (that it was generated by your site, and not someone else), and the
+ integrity of the data (that it is all there and correct), it cannot
+ guarantee freshness i.e. that you are being sent back the last thing you
+ sent to the client. This means that for some uses of session data, the
+ cookie backend might open you up to `replay attacks`_. Cookies will only
+ detected as 'stale' if they are older than your
+ :setting:`SESSION_COOKIE_AGE`.
+
+ **Performance**
+
+ Finally, the size of a cookie can have an impact on the `speed of your site`_.
.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3
+.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack
.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/
Using sessions in views