Issue #777 new

Signed session coookies

guest
created an issue

Signed cookies add a layer of security against session hijacking by guessing. The following patch allows cookies to be 'signed': when an ID id is generated, so is a signature s, where s = SHA(seckey + id) which only the server can verify. The session cookie is then set to the value id:s, and this allows the server to validate that it has set the ID.

Patch against sessions.py #1868: {{{ 67a68

    self.secret_key = kwargs.get('secret_key', None)

73a75,78 elif self.secret_key: sid, signature = id.split(':', 1) if not sha.new(self.secret_key + sid).hexdigest() == signature: raise cherrypy.HTTPError() 111c116,121 < return sha.new('%s' % random.random()).hexdigest()


        session_id = sha.new('%s' % random.random()).hexdigest()
        if self.secret_key:
            signature = sha.new(self.secret_key + session_id).hexdigest()
            return '%s:%s' % (session_id, signature)
        else:
            return session_id

115c125,130 < return os.urandom(20).encode('hex')


        session_id = os.urandom(20).encode('hex')
        if self.secret_key:
            signature = sha.new(self.secret_key + session_id).hexdigest()
            return '%s:%s' % (session_id, signature)
        else:
            return session_id

}}}

Comments (0)

  1. Log in to comment