#31807 closed New feature (wontfix)
Whether support more secure method to generate session id
Reported by: | dotuser | Owned by: | nobody |
---|---|---|---|
Component: | contrib.sessions | Version: | 2.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Since django generate session id will utilize random.SystemRandom()
firstly and then fallback to random
[1]. According to doc, random have security issue for security or cryptographic uses[2]. Although doc says secrets
module, but secrets
module will also utilize SystemRandom
to generate[3]
Read /dev/random/
will produce block and then it have a little effect on performance for application in Linux
So, have any plan to change a secure method to generate session id? Thanks !
[1] https://github.com/django/django/blob/2.2.13/django/utils/crypto.py#L48-L69
[2] https://docs.python.org/3.7/library/random.html
[3] https://docs.python.org/3/library/secrets.html#secrets.SystemRandom
Change History (3)
follow-up: 2 comment:1 by , 5 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
follow-up: 3 comment:2 by , 4 years ago
Replying to felixxm:
Django 3.0+ uses
secrets
, see #27635.
secrets
doesn't change any behavior or add security for now[1][2]. So, for security or cryptographic use case in session id, any others plan to support a more secure method?
I'm not sure if I understand your proposal (using
secrets
in Django 2.2?), we didn't accept #27635 for Django 2.2 because it supports Python 3.5. Also Django 2.2. is in extended support and we will not add any new features to it.
Sorry... since I'm making app with Django 2.2.X, so I filled ticket with this version. If have plans to support, it will be a great features because of builtin support in latest master or Django 3.0+ and then I'll try to migrate latest version
[1] https://code.djangoproject.com/ticket/27635#comment:3
[2] https://docs.python.org/3/library/secrets.html#secrets.SystemRandom
Django 3.0+ uses
secrets
, see #27635. Also in Django 2.2 whenrandom.SystemRandom()
is not available we raise a warning: "A secure pseudo-random number generator is not available on your system. Falling back to Mersenne Twister."I'm not sure if I understand your proposal (using
secrets
in Django 2.2?), we didn't accept #27635 for Django 2.2 because it supports Python 3.5. Also Django 2.2. is in extended support and we will not add any new features to it.