quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Grisha Trubetskoy (JIRA)" <j...@apache.org>
Subject [jira] Created: (MODPYTHON-254) Signed Sessions should use a salt and not rely on md5.
Date Tue, 30 Dec 2008 22:42:44 GMT
Signed Sessions should use a salt and not rely on md5.
------------------------------------------------------

                 Key: MODPYTHON-254
                 URL: https://issues.apache.org/jira/browse/MODPYTHON-254
             Project: mod_python
          Issue Type: Bug
          Components: session
    Affects Versions: 3.3.1
            Reporter: Grisha Trubetskoy


Sessions should generate a random salt when signing so that cookies are not vulnerable to
dictionary attacks. In general storage of any data in signed cookies should be discouraged
in favor of storing the session locally and only passing on a session id to the browser. Also
sessions use default hmac, which in turn defaults to MD5 signatures. We should probably move
on to SHA given how weak MD5 has been shown to be.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message