oss-sec mailing list archives

Re: A note on cookie based sessions

From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Fri, 04 Oct 2013 11:27:01 +0600

Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So this has been published:

http://maverickblogging.com/logout-is-broken-by-default-ruby-on-rails-web-applications/

http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/

Basically it boils down to this: cookie based session handling where
you don't store state data on the backend, but instead have a cookie,
possibly with an expiration time coded into it can be used in replay
attacks.

I am very much surprised that Flask is not mentioned at all in youre-mail. Its default session handler uses only signed cookies, and theycan't even change the default because they don't have the DB layer orany other persistent storage out of the box.

Flask site is down at the moment, so no link to the documentation. Butthe problem is known, see this link for example:


http://stackoverflow.com/questions/13735024/invalidate-an-old-session-in-flask

--
Alexander E. Patrakov

--
Alexander E. Patrakov

Current thread:

A note on cookie based sessions Kurt Seifried (Oct 03)
- Re: A note on cookie based sessions Alexander E. Patrakov (Oct 03)
- Re: A note on cookie based sessions Donald Stufft (Oct 03)
  - Re: A note on cookie based sessions Kurt Seifried (Oct 03)
    - Re: A note on cookie based sessions Andri Möll (Oct 04)
- Re: A note on cookie based sessions Florian Weimer (Oct 03)
  - Re: A note on cookie based sessions cve-assign (Oct 04)
- <Possible follow-ups>
- Re: A note on cookie based sessions Igor Sverkos (Oct 04)