[#MODPYTHON-191] Tampering with signed cookies.

mod_python

Tampering with signed cookies.

Created: 02/Oct/06 07:33 AM Updated: 01/May/07 10:47 AM

Return to search

Component/s:

core

Affects Version/s:

3.2.10

Fix Version/s:

3.3.1

Time Tracking:

Not Specified

Resolution Date:

07/Nov/06 10:12 AM

Description

« Hide

As reported by Andy Pearce in:

http://mail-archives.apache.org/mod_mbox/httpd-python-dev/200609.mbox/%3c44F824E2.4040304@jgassociates.ca%3e

Andy Pearce wrote:
>
> Hi,
>
> I think I might have spotted a slight bug in Session.py. When the
> 'secret' parameter is supplied to use the SignedCookie class, it appears
> that __init__ of BaseSession doesn't check the return type of
> get_cookies().
>
> If I understand the SignedCookie docs correctly, if the cookie value
> doesn't match its signature, it simply returns the contents as a Cookie
> rather than a SignedCookie (indicating that the user tampered with their
> cookie before sending it back).
>
> However, there is no check in BaseSession's __init__ that the return of
> get_cookies() is a SignedCookie in the case that 'secret' is supplied.
>
> Perhaps a minor point, but it would seem to make the option of using
> SignedCookies rather pointless, since the signature isn't being checked.
> Presumably if the cookie has been tampered with, your only safe option
> is to throw it away and generate a new one. I think this can be achieved
> by changing the lines:
>
> if cookies.has_key(session_cookie_name):
> self._sid = cookies[session_cookie_name].value
>
> To something like:
>
> if cookies.has_key(session_cookie_name):
> if not secret or type(cookes[session_cookie_name]) \
> is Cookie.SignedCookie:
> self._sid = cookies[session_cookie_name].value
>
> I'm fairly new to mod_python, so if I'm mistaken then my apologies, and
> a quick explanation of why would be very much appreciated! ^_^
>
> Thanks,
>
> - Andy
>

Is this correct and should the change suggested appropriate?

All

Comments

Work Log

Change History

Subversion Commits

Sort Order:

[ Permlink | « Hide ]

Graham Dumpleton added a comment - 24/Oct/06 05:42 AM

I have marked this as fix for 3.3 as it seems worrying enough that we should address it. Can someone else provide confirmation that it is something that we should worry about and that change is reasonable.

[ Permlink | « Hide ]

Graham Dumpleton added a comment - 26/Oct/06 06:27 AM

After looking at this, I have come to the conclusion that in the context used it is not an issue. FWIW, the whole idea of allowing a Session to have a secret associated with it and thus have a signed cookie used seems to be a pointless exercise which adds little value except making the length of the cookie string longer and perhaps therefore harder to guess. To understand one needs to look at what happens when one uses a signed cookie.

When one uses a signed cookie, the string stored in the header will be something like:

  36c941203a16532574abe5e9fd3b0028some-value

That is, the first 32 characters represent the hash of the value of the cookie. As one can see, the actual value is stored in whatever follows the first 32 characters. The actual value is not encoded in any way and just appears as is.

When cookies are used for sessions, the session ID is itself a value containing 32 characters. This 32 characters are an md5 hash of a string made up of the Apache child process ID, the remote client IP address and two random numbers.

Thus, the session ID would be something like:

  b406b258f7bb1b7d655008ae528f5f0d

When one signs this, one gets:

  476e3a39cf8027511507224cf3ecff3bb406b258f7bb1b7d655008ae528f5f0d

As you can see, since the value is as is, the second set of 32 characters is still the same session ID.

The original concern expressed was the code even though told to use a signed cookie, will revert to accepting a non signed cookie. That is, if the first 32 characters are the correct hash for the second 32 characters it will reject it. It will instead take the whole value and try and use that as the SID instead.

At this point, two things still need to happen before the session can work. The first is that the whole value must be 32 characters in length and must only contain lower case alpha numeric characters. If it isn't, it will fail the initial precondition check of what constitues a valid session ID.

Even if it gets past that, the value presented as the session ID still has to actually match an active session in the session database. If it doesn't it is flagged as bogus or expired and a new session will be created with a new session ID pushed back to the browser instead.

The outcome of all this is that even if using a signed cookie for the session, that 64 characters are in the string doesn't matter as one would only need to guess the second 32 characters and simply supply that, with it being accepted as an unsigned cookie.

The question then becomes how concerned are you about the chances of someone guessing a 32 character string, that would make you want to use a 64 character string instead.

Thus, this issue certainly doesn't raise any problem that needs to be addressed at this point. As such, am going to remove this from 3.3 task list. We can consider this again later as to whether a check for a signed cookie is a good idea or not, or simply leave it as is and close the issue.

[ Show » ]

Graham Dumpleton added a comment - 26/Oct/06 06:27 AM After looking at this, I have come to the conclusion that in the context used it is not an issue. FWIW, the whole idea of allowing a Session to have a secret associated with it and thus have a signed cookie used seems to be a pointless exercise which adds little value except making the length of the cookie string longer and perhaps therefore harder to guess. To understand one needs to look at what happens when one uses a signed cookie. When one uses a signed cookie, the string stored in the header will be something like: 36c941203a16532574abe5e9fd3b0028some-value That is, the first 32 characters represent the hash of the value of the cookie. As one can see, the actual value is stored in whatever follows the first 32 characters. The actual value is not encoded in any way and just appears as is. When cookies are used for sessions, the session ID is itself a value containing 32 characters. This 32 characters are an md5 hash of a string made up of the Apache child process ID, the remote client IP address and two random numbers. Thus, the session ID would be something like: b406b258f7bb1b7d655008ae528f5f0d When one signs this, one gets: 476e3a39cf8027511507224cf3ecff3bb406b258f7bb1b7d655008ae528f5f0d As you can see, since the value is as is, the second set of 32 characters is still the same session ID. The original concern expressed was the code even though told to use a signed cookie, will revert to accepting a non signed cookie. That is, if the first 32 characters are the correct hash for the second 32 characters it will reject it. It will instead take the whole value and try and use that as the SID instead. At this point, two things still need to happen before the session can work. The first is that the whole value must be 32 characters in length and must only contain lower case alpha numeric characters. If it isn't, it will fail the initial precondition check of what constitues a valid session ID. Even if it gets past that, the value presented as the session ID still has to actually match an active session in the session database. If it doesn't it is flagged as bogus or expired and a new session will be created with a new session ID pushed back to the browser instead. The outcome of all this is that even if using a signed cookie for the session, that 64 characters are in the string doesn't matter as one would only need to guess the second 32 characters and simply supply that, with it being accepted as an unsigned cookie. The question then becomes how concerned are you about the chances of someone guessing a 32 character string, that would make you want to use a 64 character string instead. Thus, this issue certainly doesn't raise any problem that needs to be addressed at this point. As such, am going to remove this from 3.3 task list. We can consider this again later as to whether a check for a signed cookie is a good idea or not, or simply leave it as is and close the issue.

[ Permlink | « Hide ]

Graham Dumpleton added a comment - 31/Oct/06 05:32 AM

This will now be addressed as part of code changes for ~~MODPYTHON-200~~.