SessionFilter doesn't check result of generateSessionID() against sessionStorage

anonymous avataranonymous created an issue

The current (r860) SessionFilter implementation does not check the result of generateSessionID() against the contents of its sessionStorage, which may result in the obliteration of the data of an active session with nonzero probability.

Comments (5)

  1. Anonymous

    I was about to add this too after looking through some session stuff. I changed it to major/high though, because thats a really big issue. its improbable, but not impossible.

    what is needed is something like this:

    # internally reference _generate_session_id()
    
    def _generate_session_id():
        """ Loop a generator for a new session_id """
        potential_id= False
        while not potential_id:
             potential_id = generate_session_id()
             if sess.session_storage.load( potential_id ):
                  potential_id= None
        return potential_id         
        
    def generate_session_id():
        """ Return a new session_id """
        return sha.new('%s' % random.random()).hexdigest()
    
  2. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.