[Openstack-security] Fwd: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue
Jeffrey Walton
noloader at gmail.com
Thu Oct 3 22:30:37 UTC 2013
Here's some more reading on the subject. It was recently updated, and
effectively states django is susceptible to session management attacks
under some configurations.
https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions.
On Wed, Oct 2, 2013 at 11:47 AM, Clark, Robert Graham
<robert.clark at hp.com> wrote:
> It's not a django default, does it get turned on in Horizon configurations?
>
> On 02/10/2013 10:09, "Jeffrey Walton" <noloader at gmail.com> wrote:
>
>>Not sure if this made anyone's radar....
>>
>>(I'm not sure about the 1.7 version, though).
>>
>>---------- Forwarded message ----------
>>From: G. S. McNamara <main at gsmcnamara.com>
>>Date: Tue, Oct 1, 2013 at 4:20 PM
>>Subject: [Full-disclosure] [Django] Cookie-based session storage
>>session invalidation issue
>>To: full-disclosure at lists.grok.org.uk
>>
>>FD,
>>
>>I¹m back!
>>
>>Django versions 1.4 1.7 offer a cookie-based session storage option
>>(not the default this time) that is afflicted by the same issue I
>>posted about previously concerning Ruby on Rails:
>>
>>If you obtain a user¹s cookie, even if they log out, you can still log
>>in as them.
>>
>>The short write-up is here, if needed:
>>http://maverickblogging.com/security-vulnerability-with-django-cookie-base
>>d-sessions/
>>
>>Cheers,
>>
>>G. S. McNamara
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>>_______________________________________________
>>Openstack-security mailing list
>>Openstack-security at lists.openstack.org
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
More information about the Openstack-security
mailing list