Opened 3 years ago

Closed 3 years ago

#33475 closed New feature (wontfix)

Add a SESSION_KEY_LENGTH setting

Reported by: jecarr Owned by: nobody
Component: contrib.sessions Version: dev
Severity: Normal Keywords: session
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I was reviewing how sessions were made and came across how the session key is at a fixed length of 32 characters. I wondered if we could have a setting that changes this?

Rationale:

  • OWASP-recommended session ID length which therefore might influence security auditors (although I do acknowledge their point about the minimum isn't an absolute pending other implementation factors).
  • I also did follow the steps to extend the default Session management and it resulted in a pointer table (a new table for my model extending Django's Session model, where it references the django_session table). I don't mind this but if all I wanted was to adjust the session key length, I think a setting would be more efficient than introducing a new DB-table.

Impact-on-codebase: Whether minimum and maximum session-key-length checks need to be called anywhere else

Apologies if I've overlooked anything which results in a wontfix; thanks!

Change History (5)

comment:1 by Mariusz Felisiak, 3 years ago

Cc: Florian Apolloner added

comment:2 by Florian Apolloner, 3 years ago

Version: 4.0dev

Sooo, adding a new setting for security related stuff probably gets a -1 from me :) That said I fully support the following:

  • Audit our code and ensure that we allow longer IDs
  • Change our recommendations to "at least" everywhere
  • and maybe push the default length

… not sure though if we want a new setting.

comment:3 by Mariusz Felisiak, 3 years ago

I'm also against a new setting. We allow session keys up to 40 characters which seems fine when you will take an entropy into account. In cited requirements we have:

"The session ID value must provide at least 64 bits of entropy."

As far as I'm aware, with 32-character keys and the current alphabet with a length of 36 (digits and lowercase ASCII letters), we have ~165 bits of entropy: 32 * log_2(36). With the same alphabet and 40-character keys you will get ~206 bits of entropy.

in reply to:  3 comment:4 by jecarr, 3 years ago

Thanks for the quick replies! I realise now to avoid requesting security-settings; I'll remember this going forward.

comment:5 by Mariusz Felisiak, 3 years ago

Resolution: wontfix
Status: newclosed

The proposal as it currently stands, i.e. "adding a SESSION_KEY_LENGTH setting" is wontfix for me.

Note: See TracTickets for help on using tickets.
Back to Top