Ticket #777 (enhancement)
Opened 5 months ago
Signed session coookies
Status: new
| Reported by: | guest | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | sessions | Keywords: | session, security, signed, cookies |
| Cc: |
Signed cookies add a layer of security against session hijacking by guessing. The following patch allows cookies to be 'signed': when an ID id is generated, so is a signature s, where s = SHA(seckey + id) which only the server can verify. The session cookie is then set to the value id:s, and this allows the server to validate that it has set the ID.
Patch against sessions.py #1868:
67a68
> self.secret_key = kwargs.get('secret_key', None)
73a75,78
> elif self.secret_key:
> sid, signature = id.split(':', 1)
> if not sha.new(self.secret_key + sid).hexdigest() == signature:
> raise cherrypy.HTTPError()
111c116,121
< return sha.new('%s' % random.random()).hexdigest()
---
> session_id = sha.new('%s' % random.random()).hexdigest()
> if self.secret_key:
> signature = sha.new(self.secret_key + session_id).hexdigest()
> return '%s:%s' % (session_id, signature)
> else:
> return session_id
115c125,130
< return os.urandom(20).encode('hex')
---
> session_id = os.urandom(20).encode('hex')
> if self.secret_key:
> signature = sha.new(self.secret_key + session_id).hexdigest()
> return '%s:%s' % (session_id, signature)
> else:
> return session_id
