Uploaded image for project: 'mod_python'
  1. mod_python
  2. MODPYTHON-191

Tampering with signed cookies.



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.2.10
    • 3.3.1
    • core
    • None


      As reported by Andy Pearce in:


      Andy Pearce wrote:
      > Hi,
      > I think I might have spotted a slight bug in Session.py. When the
      > 'secret' parameter is supplied to use the SignedCookie class, it appears
      > that _init_ of BaseSession doesn't check the return type of
      > get_cookies().
      > If I understand the SignedCookie docs correctly, if the cookie value
      > doesn't match its signature, it simply returns the contents as a Cookie
      > rather than a SignedCookie (indicating that the user tampered with their
      > cookie before sending it back).
      > However, there is no check in BaseSession's _init_ that the return of
      > get_cookies() is a SignedCookie in the case that 'secret' is supplied.
      > Perhaps a minor point, but it would seem to make the option of using
      > SignedCookies rather pointless, since the signature isn't being checked.
      > Presumably if the cookie has been tampered with, your only safe option
      > is to throw it away and generate a new one. I think this can be achieved
      > by changing the lines:
      > if cookies.has_key(session_cookie_name):
      > self._sid = cookies[session_cookie_name].value
      > To something like:
      > if cookies.has_key(session_cookie_name):
      > if not secret or type(cookes[session_cookie_name]) \
      > is Cookie.SignedCookie:
      > self._sid = cookies[session_cookie_name].value
      > I'm fairly new to mod_python, so if I'm mistaken then my apologies, and
      > a quick explanation of why would be very much appreciated! _
      > Thanks,
      > - Andy

      Is this correct and should the change suggested appropriate?




            grahamd Graham Phillip Dumpleton
            grahamd Graham Phillip Dumpleton
            0 Vote for this issue
            0 Start watching this issue