[mod_python] Question about Session security

Jim Gallacher jg.lists at sympatico.ca
Wed Jun 15 18:46:26 EDT 2005


dharana wrote:
> Just for the record. In Spain millions of users are forced to go 
> throught our ISP's forced proxies. I have to mess with 
> HTTP_X_FORWARDED_FOR and other HTTP headers to find their real IP.
> 
> If someone is worried about collisions they could always subclass 
> session and make their own session_id generator function. It could also 
> be possible to let them choose a hash function (md5, sha1, whirlpool, etc)

The collision thing is just me being paranoid. An asteroid could drop on 
my house tommorow, but it's unlikely. Still, these are the kinds of 
things I worry about. Call me a pessimist. :)

> I don't think adding the IP to make it harder to find collisions is 
> really so much of an advantage, think of NAT users.

And as Nick pointed out, a user may want to access a long lived session 
from different locations. At this point my time is probably better spent 
  elsewhere rather than on this.

Regards
Jim

> 
> http://www.google.com/search?q=telefonica%20proxies%20problems
> 
> 
> Jim Gallacher wrote:
> 
>> Jim Gallacher wrote:
>>
>>> Graham Dumpleton wrote:
>>>
>>>> On 16/06/2005, at 6:36 AM, Dan Eloff wrote:
>>>>
>>>>> I was looking through the Session code and I found an omission that 
>>>>> bothers me.
>>>>>
>>>>> In all the session mechanisms I've implemented in the past I have
>>>>> always checked that the person resuming the session is at the same ip
>>>>> as the person who created it.
>>>>>
>>>>> Anyone who gleans the session cookie (which is sent in plaintext on
>>>>> every request) could pass themselves off as the original person. If
>>>>> you check the ip you restrict this down from the entire internet to
>>>>> only people on the same network, which makes it less likely to happen.
>>>>>
>>>>> Is there a reason for omitting this, something I don't understand 
>>>>> maybe?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> You can use req.connection to find the users incoming IP address and
>>>> save that in the session yourself for later checking.
>>>>
>>>> Ie., not a prepackaged check, but the bits are there for you to do it
>>>> yourself in the manner you need.
>>>
>>>
>>>
>>>
>>> Since I'm (still) messing with the session code, maybe this is worth 
>>> building this into the base code now? If it is a security issue let's 
>>> address it and save users the worry and bother of implementing their 
>>> own.
>>>
>>
>> Oh and another thing that's always bother me just a little - md5 
>> collisions of the generated session id's. I know the probability of a 
>> collision is extremely low, but it is finite. Checking an existing 
>> session against the ip would eliminate any chance of a collision (I 
>> think).
>>
>> Regards,
>> Jim
>> _______________________________________________
>> Mod_python mailing list
>> Mod_python at modpython.org
>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>>
>>
> 



More information about the Mod_python mailing list