Commit 6205a348 authored by Luke Plant's avatar Luke Plant
Browse files

Added warning about replay attacks when using the cookies backend for sessions. 

The paragraph about encryption was reworded for clarity.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17004 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 87ffc6a6

docs/topics/http/sessions.txt

+24 −8
Original line number Diff line number Diff line
@@ -115,18 +115,34 @@ and the :setting:`SECRET_KEY` setting. 


.. warning::



    **The session data is signed but not encrypted!**

    **The session data is signed but not encrypted**



    When using the cookies backend the session data can be read out

    and will be invalidated when being tampered with. The same invalidation

    happens if the client storing the cookie (e.g. your user's browser)

    can't store all of the session cookie and drops data. Even though

    Django compresses the data, it's still entirely possible to exceed

    the `common limit of 4096 bytes`_ per cookie.

    When using the cookies backend the session data can be read by the client.



    Also, the size of a cookie can have an impact on the `speed of your site`_.

    A MAC (Message Authentication Code) is used to protect the data against

    changes by the client, so that the session data will be invalidated when being

    tampered with. The same invalidation happens if the client storing the

    cookie (e.g. your user's browser) can't store all of the session cookie and

    drops data. Even though Django compresses the data, it's still entirely

    possible to exceed the `common limit of 4096 bytes`_ per cookie.



    **No freshness guarantee**



    Note also that while the MAC can guarantee the authenticity of the data

    (that it was generated by your site, and not someone else), and the

    integrity of the data (that it is all there and correct), it cannot

    guarantee freshness i.e. that you are being sent back the last thing you

    sent to the client. This means that for some uses of session data, the

    cookie backend might open you up to `replay attacks`_. Cookies will only

    detected as 'stale' if they are older than your

    :setting:`SESSION_COOKIE_AGE`.



    **Performance**



    Finally, the size of a cookie can have an impact on the `speed of your site`_.



.. _`common limit of 4096 bytes`: http://tools.ietf.org/html/rfc2965#section-5.3

.. _`replay attacks`: http://en.wikipedia.org/wiki/Replay_attack

.. _`speed of your site`: http://yuiblog.com/blog/2007/03/01/performance-research-part-3/



Using sessions in views