[mod_python] Secure Sessions

marinus van aswegen mvanaswegen at gmail.com
Tue May 30 09:19:09 EDT 2006 

Hi Jim

It's a good security practise not to permit the client to send a
sessionid to a non secured (non https) sites, even if it's encrypted.
I just wanted to do this with mod_python.

I found the following via Google.
http://issues.apache.org/jira/browse/MODPYTHON-108

Marinus

On 5/30/06, Jim Gallacher <jpg at jgassociates.ca> wrote:
> marinus van aswegen wrote:
> > Hi All
> >
> > I've noticed that I can tell cookies to only be sent to secured sites
> > (ala https),
>
> Are you referring to mod_python or something else? Perhaps you are
> misunderstanding the nature of the SignedCookie class. Quoting from the
> docs:
>
> "This class creates cookies whose name and value are automatically
> signed using HMAC (md5) with a provided secret 'secret', which must be a
> non-empty string."
>
> http://www.modpython.org/live/current/doc-html/pyapi-cookie-classes.html#l2h-202
>
> > however I didn't see the same option for the session
> > class. Am I missing something here?
>
> Yes, if you *are* referring to signed cookies. Just pass the secret to
> the session constructor, same as if you were creating a SignedCookie.
>
> session = Session.Session(req, secret="some secret")
>
> Quoting from the docs for BaseSession:
>
> "When a secret is provided, BaseSession will use SignedCookie when
> generating cookies thereby making the session id almost impossible to
> fake. The default is to use plain Cookie (though even if not signed, the
> session id is generated to be very difficult to guess)."
>
> http://www.modpython.org/live/current/doc-html/pyapi-sess-classes.html#l2h-209
>
> > It's a good practise when using
> > https to have your sessionid cookie only sent to the secure site
>
> As far as I know this is not a mod_python capability out of the box.
> You'll need to test if it is an https request in your code and act
> accordingly.
>
> > (should also be in the faq).
>
> Well, maybe but I think this is the first time anyone has asked this
> question, so it doesn't really qualify as frequently asked. ;)
>
> Jim
>
>

More information about the Mod_python mailing list