diff options
| author | Steve Piercy <web@stevepiercy.com> | 2018-09-04 13:41:32 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-09-04 13:41:32 -0700 |
| commit | a8f79339380bb9a223e29389628a52e340fcf2e5 (patch) | |
| tree | f8942b0ccbbc66ec31aa97f332944eca26790b13 | |
| parent | 893cb6f6c00a6de5d85194f9164cb72f1a94dbac (diff) | |
| parent | 91f381754177896bf481e27ab53d33cac33e2a0d (diff) | |
| download | pyramid-a8f79339380bb9a223e29389628a52e340fcf2e5.tar.gz pyramid-a8f79339380bb9a223e29389628a52e340fcf2e5.tar.bz2 pyramid-a8f79339380bb9a223e29389628a52e340fcf2e5.zip | |
Merge pull request #3340 from stloma/pickle_warning
clarify session factory warnings
| -rw-r--r-- | CONTRIBUTORS.txt | 2 | ||||
| -rw-r--r-- | docs/narr/sessions.rst | 33 |
2 files changed, 23 insertions, 12 deletions
diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt index a56821e74..593a078f2 100644 --- a/CONTRIBUTORS.txt +++ b/CONTRIBUTORS.txt @@ -326,3 +326,5 @@ Contributors - Jason Williams, 2018/06/11 - Benjamin Gmurczyk, 2018/06/14 + +- Stephen Martin, 2018/09/04 diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index 6c88dcec5..2d80b1a63 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -57,18 +57,27 @@ using the :meth:`pyramid.config.Configurator.set_session_factory` method. .. warning:: By default the :func:`~pyramid.session.SignedCookieSessionFactory` - implementation is *unencrypted*. You should not use it when you keep - sensitive information in the session object, as the information can be - easily read by both users of your application and third parties who have - access to your users' network traffic. And, if you use this sessioning - implementation, and you inadvertently create a cross-site scripting - vulnerability in your application, because the session data is stored - unencrypted in a cookie, it will also be easier for evildoers to obtain the - current user's cross-site scripting token. In short, use a different - session factory implementation (preferably one which keeps session data on - the server) for anything but the most basic of applications where "session - security doesn't matter", and you are sure your application has no - cross-site scripting vulnerabilities. + implementation contains the following security concerns: + + - Session data is *unencrypted*. You should not use it when you keep + sensitive information in the session object, as the information can be + easily read by both users of your application and third parties who have + access to your users' network traffic. + + - If you use this sessioning implementation, and you inadvertently create a + cross-site scripting vulnerability in your application, because the + session data is stored unencrypted in a cookie, it will also be easier for + evildoers to obtain the current user's cross-site scripting token. + + - The default serialization method, while replaceable with something like + JSON, is implemented using pickle which can lead to remote code execution + if your secret key is compromised. + + In short, use a different session factory implementation (preferably one + which keeps session data on the server) for anything but the most basic of + applications where "session security doesn't matter", you are sure your + application has no cross-site scripting vulnerabilities, and you are confident + your secret key will not be exposed. .. index:: single: session object |