Hi Everyone, I took a stab at implementing this. I'd appreciate any feedback on the PR <https://github.com/django/django/pull/8736>. The 8tracks leak over the weekend <https://blog.8tracks.com/2017/06/27/password-security-alert/> highlights the importance of hashing session ids. The attacker only gained access to backups of the database. AFAIK with the current version of Django, the attacker would've been able to login as any user that hadn't been logged out by simply setting a cookie. By storing the session ids as hashes, we can effectively mitigate this attack vector.
Thanks for the feedback, Chris On Thursday, September 22, 2016 at 2:41:22 PM UTC-4, Aymeric Augustin wrote: > > On 22 Sep 2016, at 20:32, James Bennett <ubern...@gmail.com <javascript:>> > wrote: > > > So personally I'd like to hear some more about why this is seen as > necessary before I'd endorse work to actually implement it. > > > The reason why I originally filed a security report is that session stores > tend to have less focus on security than databases. > > Of course this is a moot point when sessions are stored in the database, > but I won’t start a debate about why Django still encourages this, this > isn’t the point of this thread ;-) > > For example Redis is well known for advertising that it has no security > and should only be run within a secure network. (Defense in depth, anyone?) > Still a bunch of companies provide Redis as a service, usually on random > EC2 instances directly reachable from the Internet. The best ones require > going through an SSL endpoint and providing a password, but an attacker can > still talk directly to Redis, which is concerning given its stance on > security. > > In contrast, the authors of PostgreSQL have implemented an authentication > and authorization framework. I’m not qualified to say if it’s robust, but > at least it’s better than shrugging off security entirely. > > -- > Aymeric. > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d7471896-c17e-4c7f-b6eb-757f223229d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
