[mod_python] Session.py and "secret" parameter. Is it secure?

Brian Bird brian.bird at securetrading.com
Wed Aug 11 11:44:39 EDT 2004

I'm implementing a session-based login system using mod_python. I decided to
use SignedCookie because the cookie will contain the login name of the
authenticated user and I therefore need to ensure the cookie has not been
tampered with on the client (If there's a better way to do this kind of
thing could someone point me in the right direction?).

If I create a session using the following command: 
s=Session.DbmSession(self.req, secret="mysecret") 

then the session will be created using SignedCookie. If on a subsequent
request I perform the same command I get back the same session. Everything
is fine so far.

However, if I change the value of "mysecret" I thought I would get an error
(since this is equivalent to someone tampering with the signed cookie isn't
it?). The command works though. 

I see from looking at Session.py that a SignedCookie is created (line 111 in
Session.py), but it's type is not checked (the documentation says you should
check the type to ensure it is SignedCookie not Cookie, otherwise the
signature verification has failed). The variable "cookies" normally contains
a SignedCookie object, but when I change "mysecret" it contains a Cookie

Does this mean that the cookie signature is not being verified correctly if
using Session.py or am I missing something? 

Why does SignedCookie return an instance of Cookie if the signature
verification fails rather than raising an Exception?


More information about the Mod_python mailing list