Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#31807 closed New feature (wontfix)

Whether support more secure method to generate session id

Reported by: dotuser Owned by: nobody
Component: contrib.sessions Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Since django generate session id will utilize random.SystemRandom() firstly and then fallback to random[1]. According to doc, random have security issue for security or cryptographic uses[2]. Although doc says secrets module, but secrets module will also utilize SystemRandom to generate[3]

Read /dev/random/ will produce block and then it have a little effect on performance for application in Linux

So, have any plan to change a secure method to generate session id? Thanks !

[1] https://github.com/django/django/blob/2.2.13/django/utils/crypto.py#L48-L69
[2] https://docs.python.org/3.7/library/random.html
[3] https://docs.python.org/3/library/secrets.html#secrets.SystemRandom

Change History (3)

comment:1 by Mariusz Felisiak, 5 years ago

Resolution: wontfix
Status: newclosed

Django 3.0+ uses secrets, see #27635. Also in Django 2.2 when random.SystemRandom() is not available we raise a warning: "A secure pseudo-random number generator is not available on your system. Falling back to Mersenne Twister."

I'm not sure if I understand your proposal (using secrets in Django 2.2?), we didn't accept #27635 for Django 2.2 because it supports Python 3.5. Also Django 2.2. is in extended support and we will not add any new features to it.

in reply to:  1 ; comment:2 by dotuser, 4 years ago

Replying to felixxm:

Django 3.0+ uses secrets, see #27635.

secrets doesn't change any behavior or add security for now[1][2]. So, for security or cryptographic use case in session id, any others plan to support a more secure method?

I'm not sure if I understand your proposal (using secrets in Django 2.2?), we didn't accept #27635 for Django 2.2 because it supports Python 3.5. Also Django 2.2. is in extended support and we will not add any new features to it.

Sorry... since I'm making app with Django 2.2.X, so I filled ticket with this version. If have plans to support, it will be a great features because of builtin support in latest master or Django 3.0+ and then I'll try to migrate latest version

[1] https://code.djangoproject.com/ticket/27635#comment:3
[2] https://docs.python.org/3/library/secrets.html#secrets.SystemRandom

in reply to:  2 comment:3 by Mariusz Felisiak, 4 years ago

secrets doesn't change any behavior or add security for now[1][2].

Yes I know, but do we need more? Session keys have 32 chars, so =~ 165 bits.

So, for security or cryptographic use case in session id, any others plan to support a more secure method?

Do you have any proposition?

Note: See TracTickets for help on using tickets.
Back to Top