<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.4630.0">
<TITLE>Bug in BaseSession.py</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">I posted a similar question about this a while ago but got no reply, so I've done some more investigation:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">In Session.py, the BaseSession class takes an optional secret parameter. However, when the cookie is created it's type is not checked to ensure it is of type "SignedCookie" instead of just "Cookie". The documentation (</FONT><A HREF="http://www.modpython.org/live/current/doc-html/pyapi-cookie-classes.html"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">http://www.modpython.org/live/current/doc-html/pyapi-cookie-classes.html</FONT></U></A><FONT SIZE=2 FACE="Arial">) says you must do this otherwise the secret parameter is essentially irrelevant.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">(I can't write my own subclass to fix this because the cookies variable is local and unavailable to subclasses)</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I'd suggest having an extra couple of lines at line 117 of Session.py saying something like:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">if secret and (type(cookies[COOKIE_NAME]) is not Cookie.SignedCookie):</FONT>
<BR> <FONT SIZE=2 FACE="Arial">raise Exception("Tampered Cookie")</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Or perhaps instead of raising an exception we should just not set self._sid which will mean the existing cookie will be ignored:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">if cookies.has_key(COOKIE_NAME):</FONT>
<BR> <FONT SIZE=2 FACE="Arial">if secret and (type(cookies[COOKIE_NAME]) is not Cookie.SignedCookie):</FONT>
<BR> <FONT SIZE=2 FACE="Arial">pass</FONT>
<BR> <FONT SIZE=2 FACE="Arial">else:</FONT>
<BR> <FONT SIZE=2 FACE="Arial">self._sid = cookies[COOKIE_NAME].value</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">Any comments? I need this fixing for the project I'm writing - if there are no better suggestions, how do I get this patched? I think the second solution is better (but only because it's more convenient for my particular project ;-) so perhaps someone can think of a more generic solution?</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Thanks,</FONT>
<BR><FONT SIZE=2 FACE="Arial">Brian</FONT>
</P>
</BODY>
</HTML>