Ticket #408 (defect)
Opened 3 years ago
Last modified 2 years ago
SessionFilter doesn't check result of generateSessionID() against sessionStorage
Status: closed (fixed)
| Reported by: | anonymous | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | CherryPy code | Keywords: | session sessionid generation |
| Cc: |
The current (r860) SessionFilter? implementation does not check the result of generateSessionID() against the contents of its sessionStorage, which may result in the obliteration of the data of an active session with nonzero probability.
Change History
05/16/06 15:21:29: Modified by jvanasco@gmail.com
- priority changed from lowest to high.
- severity changed from normal to major.
08/12/06 02:08:24: Modified by fumanchu
- status changed from new to closed.
- resolution set to fixed.
Fixed in [1240].
12/10/06 18:00:43: Modified by fumanchu
2.x fix in [1510].
I was about to add this too after looking through some session stuff. I changed it to major/high though, because thats a really big issue. its improbable, but not impossible.
what is needed is something like this:
# internally reference _generate_session_id() def _generate_session_id(): """ Loop a generator for a new session_id """ potential_id= False while not potential_id: potential_id = generate_session_id() if sess.session_storage.load( potential_id ): potential_id= None return potential_id def generate_session_id(): """ Return a new session_id """ return sha.new('%s' % random.random()).hexdigest()