quetz-mod_python-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Grisha Trubetskoy (JIRA)" <j...@apache.org>
Subject [jira] Updated: (MODPYTHON-254) Signed Cookies should use a salt and not rely on md5.
Date Tue, 30 Dec 2008 22:42:44 GMT

     [ https://issues.apache.org/jira/browse/MODPYTHON-254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Grisha Trubetskoy updated MODPYTHON-254:
----------------------------------------

    Component/s:     (was: session)
                 core
    Description: Cookies should generate a random salt when signing so that cookies are not
vulnerable to dictionary attacks. Also cookies use default hmac, which in turn defaults to
MD5 signatures. We should probably move on to SHA given how weak MD5 has been shown to be.
 (was: Sessions should generate a random salt when signing so that cookies are not vulnerable
to dictionary attacks. In general storage of any data in signed cookies should be discouraged
in favor of storing the session locally and only passing on a session id to the browser. Also
sessions use default hmac, which in turn defaults to MD5 signatures. We should probably move
on to SHA given how weak MD5 has been shown to be.)
        Summary: Signed Cookies should use a salt and not rely on md5.  (was: Signed Sessions
should use a salt and not rely on md5.)

> Signed Cookies should use a salt and not rely on md5.
> -----------------------------------------------------
>
>                 Key: MODPYTHON-254
>                 URL: https://issues.apache.org/jira/browse/MODPYTHON-254
>             Project: mod_python
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.3.1
>            Reporter: Grisha Trubetskoy
>
> Cookies should generate a random salt when signing so that cookies are not vulnerable
to dictionary attacks. Also cookies use default hmac, which in turn defaults to MD5 signatures.
We should probably move on to SHA given how weak MD5 has been shown to be.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message