[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAsS5mosnyCDGwnHRYN+r6SH0U1zcsHYz6y8hfeEYi8MmH-Azw@mail.gmail.com>
Date: Thu, 3 Oct 2013 10:39:39 -0400
From: "G. S. McNamara" <main@...cnamara.com>
To: Paul McMillan <paul@...illan.ws>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Django] Cookie-based session storage session
invalidation issue
Hi Paul,
The documentation you linked to was updated yesterday to reflect the issue
I brought up with cookie-stored sessions.
Again, the behavior is a surprise to most developers.
Thanks!
G. S. McNamara
On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul@...illan.ws> wrote:
> G. S. McNamara:
>
> Perhaps next you will disclose that if an attacker obtains a user's
> password, they can log in as that user. Seriously, "full disclosure"
> of well documented behavior is not particularly impressive.
>
>
> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>
> Cheers,
> -Paul
>
> > From: "G. S. McNamara" <main@...cnamara.com>
> > To: <full-disclosure@...ts.grok.org.uk>
> > Subject: [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue
> >
> > FD,
> >
> > I’m back!
> >
> > Django versions 1.4 – 1.7 offer a cookie-based session storage option
> (not the default > this time) that is afflicted by the same issue I posted
> about previously concerning Ruby > on Rails:
> >
> > If you obtain a user’s cookie, even if they log out, you can still log
> in as them.
> >
> > The short write-up is here, if needed:
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
> >
> > Cheers,
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists