[mod_python] Question about Session security

dharana dharana at dharana.net
Wed Jun 15 17:55:55 EDT 2005 

Just for the record. In Spain millions of users are forced to go throught our 
ISP's forced proxies. I have to mess with HTTP_X_FORWARDED_FOR and other HTTP 
headers to find their real IP.

If someone is worried about collisions they could always subclass session and 
make their own session_id generator function. It could also be possible to let 
them choose a hash function (md5, sha1, whirlpool, etc)

I don't think adding the IP to make it harder to find collisions is really so 
much of an advantage, think of NAT users.


http://www.google.com/search?q=telefonica%20proxies%20problems


Jim Gallacher wrote:
> Jim Gallacher wrote:
> 
>> Graham Dumpleton wrote:
>>
>>> On 16/06/2005, at 6:36 AM, Dan Eloff wrote:
>>>
>>>> I was looking through the Session code and I found an omission that 
>>>> bothers me.
>>>>
>>>> In all the session mechanisms I've implemented in the past I have
>>>> always checked that the person resuming the session is at the same ip
>>>> as the person who created it.
>>>>
>>>> Anyone who gleans the session cookie (which is sent in plaintext on
>>>> every request) could pass themselves off as the original person. If
>>>> you check the ip you restrict this down from the entire internet to
>>>> only people on the same network, which makes it less likely to happen.
>>>>
>>>> Is there a reason for omitting this, something I don't understand 
>>>> maybe?
>>>
>>>
>>>
>>>
>>> You can use req.connection to find the users incoming IP address and
>>> save that in the session yourself for later checking.
>>>
>>> Ie., not a prepackaged check, but the bits are there for you to do it
>>> yourself in the manner you need.
>>
>>
>>
>> Since I'm (still) messing with the session code, maybe this is worth 
>> building this into the base code now? If it is a security issue let's 
>> address it and save users the worry and bother of implementing their own.
>>
> 
> Oh and another thing that's always bother me just a little - md5 
> collisions of the generated session id's. I know the probability of a 
> collision is extremely low, but it is finite. Checking an existing 
> session against the ip would eliminate any chance of a collision (I think).
> 
> Regards,
> Jim
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
> 
> 
> 

-- 
dharana

More information about the Mod_python mailing list