Re: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue

["G. S. McNamara" <garrettmc@xxxxxxxxx>]

Hi Paul,

The documentation you linked to was updated yesterday to reflect the issue
I brought up with cookie-stored sessions.

Again, the behavior is a surprise to most developers.

Thanks!

G. S. McNamara


On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan <paul@xxxxxxxxxxx> wrote:

> G. S. McNamara:
>
> Perhaps next you will disclose that if an attacker obtains a user's
> password, they can log in as that user. Seriously, "full disclosure"
> of well documented behavior is not particularly impressive.
>
>
> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>
> Cheers,
> -Paul
>
> > From: "G. S. McNamara" <main@xxxxxxxxxxxxxx>
> > To: <full-disclosure@xxxxxxxxxxxxxxxxx>
> > Subject: [Full-disclosure] [Django] Cookie-based session storage session
> invalidation issue
> >
> > FD,
> >
> > I’m back!
> >
> > Django versions 1.4 – 1.7 offer a cookie-based session storage option
> (not the default > this time) that is afflicted by the same issue I posted
> about previously concerning Ruby > on Rails:
> >
> > If you obtain a user’s cookie, even if they log out, you can still log
> in as them.
> >
> > The short write-up is here, if needed:
> http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
> >
> > Cheers,
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/