[Twisted-web] Session class
Maarten ter Huurne
maarten at treewalker.org
Wed Oct 1 07:31:13 EDT 2008
Hi,
I was looking at twisted.web.server.Session recently and the way session
timeouts work.
The values of sessionCheckTime and sessionTimeout are not tied together in
any way. This means that if you increase the sessionTimeout, session expiry
is checked uncessarily often (although one check per 30 minutes is not
likely to become a performance problem). In the opposite case, sessions
with a short sessionTimeout will not be expired faster than the
sessionCheckTime.
The Request.getSession() method does not check whether the session has
already expired. Also, it calls Session.touch(), so if the session was past
its sessionTimeout but before the sessionCheckTime, it will be revived.
None of this is a critical problem, but it does feel a bit strange. Is the
current design motivated by something I haven't understood yet, or is it
something that works well enough in typical use even though it has some
unexpected special cases?
While reading the implementation of Session, I was wondering about the
security aspects of it.
Currently, Request.getSession() returns a cookie that is not marked as
secure, even if the request was made over HTTPS. This means that for
example someone in control of a WiFi access point can trick the browser
into sending the session cookie unencrypted. Is this indeed the case? And
if so, what is the way to fix it: should people requiring secure cookies
avoid the Session class, or should a notion of a "secure session" be added
to the Session class?
I was also wondering about the session UID. This UID is generated from a
random number (from Python's Mersenne Twister) and a counter. Then an MD5
sum is computed over the string representation of both. If the same Python
process uses the same random generator (global instance from the "random"
module) for outputting non-hashed values as well, an attacker would be able
to learn the current state of the random generator and predict the next
random number. Since the counter is also predictable, guessing the next
session UID would be simple.
Is the UID intended to be secure, or is it only intended to have a low
chance of collisions with other UIDs?
If it is intended to be secure, one way of fixing it would be to use a
secure random generator for generating the UID. However, secure random
generators depend on external entropy, which might take some time to
acquire. This would make the UID generation a potentially blocking
operation, which would require Request.getSession() to return the session
via a deferred instead of directly.
A possible way to reduce UID predictability is to instantiate a random
generator which is used only for creating UIDs, instead of using a shared
instance. Since all outputs based on these random numbers are hashed, it
will be much harder to predict the state of the random generator. My crypto
knowledge is not sufficient though to say whether this would make it secure
or just less insecure.
Bye,
Maarten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
Url : http://twistedmatrix.com/pipermail/twisted-web/attachments/20081001/3ba8aaf2/attachment.pgp
More information about the Twisted-web
mailing list