[mod_python] Secure Sessions patch

Graham Dumpleton grahamd at dscpl.com.au
Mon Dec 18 05:33:36 EST 2006 

Daniel Adler wrote ..
> Hi,
> 
> I saw there was a discussion on this topic already:
> http://www.modpython.org/pipermail/mod_python/2006-May/021260.html
> and came up with the same wish -
> I want to force a session cookie to be explicitly created for https.
> 
> I have added a "secure" parameter to the session class constructors.
> If it is set AND req.is_https(), the cookie will be created wiht "secure"
> set.
> 
> A diff of session.py in release 3.2.10 with this feature is available on
> http://neoscientists.org/~plex/mod_python_3_2_10_session_with_secure_cookie.diff

I'd suggest that an explicit argument to Session.Session() is probably
not the best way of doing this. I am also dubious of it only being set
if HTTPS is used as that suggests that if first access is not via HTTPS,
that one could then continue to access the site thereafter without it
needing it to be HTTPS which defeats the purpose of having it in the
first place as you want to probably force it to be HTTPS always and not
allow HTTP at all.

In place of an argument to Session.Session(), a PythonOption setting
would possibly be more appropriate and would then be similar with how
other aspects of cookies are configured for sessions. For example:

  PythonOption mod_python.session.secure: 1

By being an option it is easier to apply it to the complete URL
namespace for an application, especially if application is coded poorly
and doesn't have all session creation performed in one place only, or
you can't modify the code for the application easily.

In being set this way, 'secure' should also perhaps always be set,
regardless of whether HTTPS is used. The outcome of this is that the
client would never send the cookie back if it wasn't HTTPS, thus result
would be always being pushed back to the login form (session creation
point) if not HTTPS, thereby clearly indicating that something is wrong
and also not inadvertently still letting someone in by accident through
HTTP.

Another possible issue is whether through Session instance it should be
possible to access the cookie properties and interrogate if the cookie
for a session had the 'secure' attribute. If you don't have a means of
validating that it was secure cookie, then someone could modify the
cookie on the client side, remove the secure attribute and change from
using HTTPS to HTTP and possibly start to reveal information in traffic
that you didn't want to be revealed.

On the latter point, one could argue that setting the PythonOption
should also be a trigger for the Session class to perform a validation
and always reject any cookie that doesn't have the 'secure' flag,
presuming that the 'secure' flag is actually sent back with the cookie
by the client.

Thus, I can seem merit in what you are trying to achieve, but it perhaps
needs some more thought as to how it should be achieved to ensure that
there aren't back doors in the way it is done.

Graham

More information about the Mod_python mailing list