Opened 3 years ago
Closed 3 years ago
#33475 closed New feature (wontfix)
Add a SESSION_KEY_LENGTH setting
| Reported by: | jecarr | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Normal | Keywords: | session |
| Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I was reviewing how sessions were made and came across how the session key is at a fixed length of 32 characters. I wondered if we could have a setting that changes this?
Rationale:
- OWASP-recommended session ID length which therefore might influence security auditors (although I do acknowledge their point about the minimum isn't an absolute pending other implementation factors).
- I also did follow the steps to extend the default Session management and it resulted in a pointer table (a new table for my model extending Django's Session model, where it references the django_session table). I don't mind this but if all I wanted was to adjust the session key length, I think a setting would be more efficient than introducing a new DB-table.
Impact-on-codebase: Whether minimum and maximum session-key-length checks need to be called anywhere else
Apologies if I've overlooked anything which results in a wontfix; thanks!
Change History (5)
comment:1 by , 3 years ago
| Cc: | added |
|---|
comment:2 by , 3 years ago
| Version: | 4.0 → dev |
|---|
follow-up: 4 comment:3 by , 3 years ago
I'm also against a new setting. We allow session keys up to 40 characters which seems fine when you will take an entropy into account. In cited requirements we have:
"The session ID value must provide at least 64 bits of entropy."
As far as I'm aware, with 32-character keys and the current alphabet with a length of 36 (digits and lowercase ASCII letters), we have ~165 bits of entropy: 32 * log_2(36). With the same alphabet and 40-character keys you will get ~206 bits of entropy.
comment:4 by , 3 years ago
Thanks for the quick replies! I realise now to avoid requesting security-settings; I'll remember this going forward.
comment:5 by , 3 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
The proposal as it currently stands, i.e. "adding a SESSION_KEY_LENGTH setting" is wontfix for me.
Sooo, adding a new setting for security related stuff probably gets a -1 from me :) That said I fully support the following:
… not sure though if we want a new setting.