[Django] #21076: Offer the ability to store a hash of session IDs rather than the ID itself

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself
--------------------------------------------+------------------------
Reporter: timo | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
We should offer the ability to store a hash each session ID in the session
backend rather the the ID itself. This hash should be reasonably fast,
because it'll be re-computed for every request. Currently, if an attacker
gains access to the session storage backend — which may easier than
gaining access to the database — he can login as anyone on the site.

On a related note, we're inconsistent about whether or not we sign entries
in the session backends. Some do, some don't. If we're hashing session
keys by default, we should probably also sign everything by default.

Both of these things need an off-switch. There are a fair number of apps
that rely on raw sessionids to provide cross-framework compatibility.

--
Ticket URL: <https://code.djangoproject.com/ticket/21076>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

-------------------------------------+-------------------------------------
Reporter: Tim Graham | Owner: Rigel Di
| Scala
Type: New feature | Status: assigned
Component: contrib.sessions | Version: master
Severity: Normal | Resolution:

Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Rigel Di Scala):

* status: new => assigned
* owner: nobody => Rigel Di Scala

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:1>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

-------------------------------------+-------------------------------------
Reporter: Tim Graham | Owner: Chris
| Griffin

Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:

Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Chris Griffin):

* owner: Rigel Di Scala => Chris Griffin

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:2>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

-------------------------------------+-------------------------------------
Reporter: Tim Graham | Owner: Chris
| Griffin
Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Chris Griffin):

* has_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:3>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

-------------------------------------+-------------------------------------
Reporter: Tim Graham | Owner: Chris
| Griffin
Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Carlton Gibson):

* needs_better_patch: 0 => 1

Comment:

Aymeric reviewed this on the PR, leaving suggestions for improvement. Once
those are (roughly) addressed please uncheck Patch needs improvement and
we can have another look.

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:4>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: Mark

Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by Mark):

* owner: Chris Griffin => Mark

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:5>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: Mark
Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------

Comment (by Mark):

Picking this up together with #31412

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:6>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: Mark
Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------

Comment (by Mark):

Requesting feedback about naming convention (see
[https://github.com/django/django/pull/8736#issuecomment-610986822 this PR
comment]) to make a clear distinction between incoming "clear text"
session keys and session keys that are stored in the sessions backend
(potentially hashed, but not necessarily, depending on settings and
existing session keys). My suggestion is to use the names `frontend_key`
and `backend_key` respectively.

Also requesting feedback concerning a refactor of the `SessionBase` API to
DRY-up the session key conversion (see
[https://github.com/django/django/pull/8736#issuecomment-611934012 this PR
comment]).

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:7>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: Mark
Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by Mark):

* needs_better_patch: 1 => 0

Comment:

New PR: [https://github.com/django/django/pull/12814]

Though the patch surely does still need improvement (documentation at the
very least),
I'm removing the 'Patch needs improvement' flag to get some feedback on
the current implementation.

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:8>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: Mark
Type: New feature | Status: assigned

Component: contrib.sessions | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by felixxm):

* cc: Aymeric Augustin (added)

* needs_better_patch: 0 => 1

* needs_docs: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:9>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: (none)

Type: New feature | Status: new

Component: contrib.sessions | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by Mariusz Felisiak):

* owner: Mark => (none)
* status: assigned => new

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:10>

[Django]

#21076: Offer the ability to store a hash of session IDs rather than the ID itself

----------------------------------+------------------------------------
Reporter: Tim Graham | Owner: (none)

Type: New feature | Status: new

Component: contrib.sessions | Version: dev
Severity: Normal | Resolution:

Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

----------------------------------+------------------------------------
Changes (by Natalia Bidart):

* needs_better_patch: 1 => 0

* has_patch: 1 => 0
* needs_docs: 1 => 0

--
Ticket URL: <https://code.djangoproject.com/ticket/21076#comment:11>