Session ID & Security
Jan Felix Reuter
thefogger at web.de
Tue Jul 16 11:33:20 EDT 2002
Hi,
I'm developing / already have some CGI scripts written in Python. Now I want
to implement Session Management & User Authentication, which is a new area
for me. I already have a simple session ID system in place. It doesn't do
much more than assining a random number as an ID and placeing it in a
Cookie on the client. If the client already has a cookie in place the CGI
will leave it as it is and get some data from a shelve based on that ID.
(Thanks to Ian Bicking who told me that earlier)
Now I'm concerned about security, because with this sheme an attacker could
easily get access to a user's session by just guessing its ID. After some
research I found out about Message Authentication Codes and the hmac python
module. How does one use it? Do I apply the algorithm to every message (cgi
output?) and place the hash in another cookie or appended to the session ID
string? So, if the client sends back a hash that differs from the last hash
the server has send, the session is discarded, is that how you do it?
Hashing all the output seems a bit overkill to me. Wouldn't a simple random
number suffice? I get the feeling that I misunderstood the whole MAC thing.
Yadda, yadda.
Felix
More information about the Python-list
mailing list