[Django] #33475: Add a SESSION_KEY_LENGTH setting
Django
--------------------------------------------+-------------------------
Reporter: jecarr | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: 4.0
Severity: Normal | Keywords: session
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+-------------------------
I was reviewing how sessions were made and came across how the session key
is
[https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L142
at a fixed length of 32 characters]. I wondered if we could have a setting
that changes this?
Rationale:
-
[https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
#session-id-length OWASP-recommended session ID length] which therefore
might influence security auditors (although I do acknowledge their point
about the minimum isn't an absolute pending other implementation factors).
- I also did follow the steps to
[https://docs.djangoproject.com/en/4.0/topics/http/sessions/#extending-
database-backed-session-engines extend the default Session management] and
it resulted in a pointer table (a new table for my model extending
Django's Session model, where it references the django_session table). I
don't mind this but if all I wanted was to adjust the session key length,
I think a setting would be more efficient than introducing a new DB-table.
Impact-on-codebase: Whether
[https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/backends/base.py#L156
minimum] and
[https://github.com/django/django/blob/stable/4.0.x/django/contrib/sessions/base_session.py#L27
maximum] session-key-length checks need to be called anywhere else
Apologies if I've overlooked anything which results in a wontfix; thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/33475>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: jecarr | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: 4.0
Keywords: session | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* cc: Florian Apolloner (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:1>
Django
Reporter: jecarr | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: session | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Florian Apolloner):
* version: 4.0 => dev
Comment:
Sooo, adding a new setting for security related stuff probably gets a -1
from me :) That said I fully support the following:
* Audit our code and ensure that we allow longer IDs
* Change our recommendations to "at least" everywhere
* and maybe push the default length
… not sure though if we want a new setting.
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:2>
Django
Reporter: jecarr | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: session | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak):
I'm also against a new setting. We allow session keys up to 40 characters
which seems fine when you will take an entropy into account. In cited
requirements we have:
> ''"The session ID value must provide at least 64 bits of entropy."''
As far as I'm aware, with 32-character keys and the current alphabet with
a length of 36 (digits and lowercase ASCII letters), we have ~165 bits of
entropy: `32 * log_2(36)`. With the same alphabet and 40-character keys
you will get ~206 bits of entropy.
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:3>
Django
Reporter: jecarr | Owner: swapnil
| shinde
Type: New feature | Status: assigned
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by swapnil shinde):
* owner: nobody => swapnil shinde
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:4>
Django
Reporter: jecarr | Owner: (none)
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: session | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by swapnil shinde):
* owner: swapnil shinde => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:5>
Django
Reporter: jecarr | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: session | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by jecarr):
Thanks for the quick replies! I realise now to avoid requesting security-
settings; I'll remember this going forward.
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:4>
Django
Reporter: jecarr | Owner: nobody
Type: New feature | Status: closed
Component: contrib.sessions | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: session | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* status: new => closed
* resolution: => wontfix
Comment:
The proposal as it currently stands, i.e. ''"adding a `SESSION_KEY_LENGTH`
setting"'' is wontfix for me.
--
Ticket URL: <https://code.djangoproject.com/ticket/33475#comment:5>