Ticket #489 (defect)
Opened 3 years ago
Last modified 2 years ago
secure session key
Status: closed (fixed)
| Reported by: | guest | Assigned to: | mikerobi |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | CherryPy code | Keywords: | |
| Cc: |
sessionfilter.py uses
def generate_session_id(): """ Return a new session_id """ return sha.new('%s' % random.random()).hexdigest()
which is a bit insecure. Much better would be:
def generate_session_id(): """ Return a new session_id """ return os.urandom(20).encode('hex')
Change History
03/16/06 09:44:11: Modified by dowski
03/16/06 11:15:25: Modified by guest
What about as an alternative for python 2.3?
''.join(['%x' % random.randint(0,15) for _ in range(40)])
03/22/06 09:58:40: Modified by anonymous
- severity changed from normal to major.
It's not like I've got any commit rights to the repository to do the fix...
05/30/06 22:15:17: Modified by mikerobi
- owner changed from rdelon to mikerobi.
- status changed from new to assigned.
We should definitely use a secure random number generator if available, but generating multiple random numbers using the same (insecure) random number generator does not improve security. Incorporating another variable, such as the time, or a number generated with a different algorithm would not necessarily be secure, but it would be better than generating multiple random numbers with the same function.
08/12/06 01:51:48: Modified by fumanchu
- status changed from assigned to closed.
- resolution set to fixed.
Fixed in [1239].
That sounds good. Since os.urandom is new in Python 2.4, we'll have to fallback to the random.random implementation for 2.3.