Full Disclosure: Re: [Django] Cookie-based session storage session invalidation issue

Re: [Django] Cookie-based session storage session invalidation issue

From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 3 Oct 2013 17:46:37 -0400

Again, the behavior is a surprise to most developers.


If it surprises developers, then what do you think it does to
unsuspecting users?

It's akin to a builder installing a lock on a house that does not
work, and the builder not telling the home owner.

Its already game over, whether its documented or not. Perhaps the
Django developers should take time to read Peter Gutmann's Engineering
Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross
Anderson's Security Engineering (www.cl.cam.ac.uk/~rja14/book.html‎).

Jeff

On Thu, Oct 3, 2013 at 10:39 AM, G. S. McNamara <main () gsmcnamara com> wrote:

Hi Paul,

The documentation you linked to was updated yesterday to reflect the issue I
brought up with cookie-stored sessions.

Again, the behavior is a surprise to most developers.


Thanks!

G. S. McNamara


On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul () mcmillan ws> wrote:


G. S. McNamara:

Perhaps next you will disclose that if an attacker obtains a user's
password, they can log in as that user. Seriously, "full disclosure"
of well documented behavior is not particularly impressive.


https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions

Cheers,
-Paul

From: "G. S. McNamara" <main () gsmcnamara com>
To: <full-disclosure () lists grok org uk>
Subject: [Full-disclosure] [Django] Cookie-based session storage session
invalidation issue

FD,

I’m back!

Django versions 1.4 – 1.7 offer a cookie-based session storage option
(not the default > this time) that is afflicted by the same issue I posted
about previously concerning Ruby > on Rails:

If you obtain a user’s cookie, even if they log out, you can still log
in as them.

The short write-up is here, if needed:
http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/

Cheers,


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

[Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 02)
- <Possible follow-ups>
- Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
  - Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
  - Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
    - Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
    - Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
    - Re: [Django] Cookie-based session storage session invalidation issue Paul McMillan (Oct 03)
    - Re: [Django] Cookie-based session storage session invalidation issue G. S. McNamara (Oct 03)
    - Re: [Django] Cookie-based session storage session invalidation issue Jeffrey Walton (Oct 03)