[Openstack-security] Fwd: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue
Jeffrey Walton
noloader at gmail.com
Fri Oct 4 02:22:05 UTC 2013
On Thu, Oct 3, 2013 at 6:30 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> Here's some more reading on the subject. It was recently updated, and
> effectively states django is susceptible to session management attacks
> under some configurations.
> https://docs.djangoproject.com/en/1.4/topics/http/sessions/#using-cookie-based-sessions.
Its now being tracked: VU#160862 (thanks Kurt).
> On Wed, Oct 2, 2013 at 11:47 AM, Clark, Robert Graham
> <robert.clark at hp.com> wrote:
>> It's not a django default, does it get turned on in Horizon configurations?
>>
>> On 02/10/2013 10:09, "Jeffrey Walton" <noloader at gmail.com> wrote:
>>
>>>Not sure if this made anyone's radar....
>>>
>>>(I'm not sure about the 1.7 version, though).
>>>
>>>---------- Forwarded message ----------
>>>From: G. S. McNamara <main at gsmcnamara.com>
>>>Date: Tue, Oct 1, 2013 at 4:20 PM
>>>Subject: [Full-disclosure] [Django] Cookie-based session storage
>>>session invalidation issue
>>>To: full-disclosure at lists.grok.org.uk
>>>
>>>FD,
>>>
>>>I¹m back!
>>>
>>>Django versions 1.4 1.7 offer a cookie-based session storage option
>>>(not the default this time) that is afflicted by the same issue I
>>>posted about previously concerning Ruby on Rails:
>>>
>>>If you obtain a user¹s cookie, even if they log out, you can still log
>>>in as them.
>>>
>>>The short write-up is here, if needed:
>>>http://maverickblogging.com/security-vulnerability-with-django-cookie-base
>>>d-sessions/
>>>
>>>Cheers,
>>>
>>>G. S. McNamara
More information about the Openstack-security
mailing list