Anonymous avatar Anonymous committed fa58a3f

2.x backport of [1239] (more secure session key). See #567.

Comments (0)

Files changed (1)

cherrypy/filters/sessionfilter.py

             (now,))
 
 
-def generate_session_id():
-    """ Return a new session_id """
-    return sha.new('%s' % random.random()).hexdigest()
+try:
+    os.urandom(20)
+except (AttributeError, NotImplementedError):
+    # os.urandom not available until Python 2.4. Fall back to random.random.
+    def generate_session_id():
+        """Return a new session id."""
+        return sha.new('%s' % random.random()).hexdigest()
+else:
+    def generate_session_id():
+        """Return a new session id."""
+        return os.urandom(20).encode('hex')
+
 generateSessionID = generate_session_id
 
 # Users access sessions through cherrypy.session, but we want this
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.