[Python-ideas] Should our default random number generator be secure?
Chris Angelico
rosuav at gmail.com
Mon Sep 14 15:32:55 CEST 2015
On Mon, Sep 14, 2015 at 10:26 PM, Nathaniel Smith <njs at pobox.com> wrote:
>> Code which uses the output from an RNG as session id without adding
>> any additional security measures is broken, regardless of what kind
>> of RNG you are using. I bet such code will also take any session id
>> it receives as cookie and trust it without applying extra checks
>> on it.
>
> Yes, that's... generally the thing you do with session cookies?
> They're shared secret string that you use as keys into some sort of
> server-side session database? What extra checks need to be applied?
Some systems check to see if the session was created by the same IP
address. That can help, but it also annoys legitimate users who change
their IP addresses.
ChrisA
More information about the Python-ideas
mailing list