Django

Code

Ticket #7418 (closed: worksforme)

Opened 7 months ago

Last modified 5 months ago

session middleware claims user tampered with session cookie

Reported by: Michael Soulier <msoulier@digitaltorque.ca> Assigned to: nobody
Milestone: Component: django.contrib.sessions
Version: 0.96 Keywords:
Cc: spage@nomensa.com Triage Stage: Unreviewed
Has patch: 0 Needs documentation: 0
Needs tests: 0 Patch needs improvement: 0

Description

I am using the latest stable release of Django, 0.96, on CentOS Linux 4.6 with PostgreSQL postgresql-7.4.13-2.RHEL4.1.

I have had problems maintaining session persistence so I dropped some debug code into the session middleware, and found this:

INFO:django-teleworker:Session key is f26b6104bc3d7fa04311857265c3d3c5 session was in cache failed to pull session from db, making new one err = User tampered with session cookie.

django.contrib.sessions.models.Session.get_decoded is raising a SuspiciousOperation exception. It's not clear why. 

>>> from django.contrib.sessions.models import Session
>>> q = Session.objects.all()
>>> for s in q:
...    print s.get_decoded()
...
Traceback (most recent call last):
  File "<console>", line 2, in ?
  File "/var/tmp/django-0.96.2-root/usr/lib/python2.3/site-packages/django/contrib/sessions/models.py", line 82, in get_decoded
SuspiciousOperation: User tampered with session cookie.

As things are I may have to remove this check to get things working. I looked in the trunk in SVN and this code doesn't seem any different.

Attachments

Change History

06/11/08 09:04:56 changed by Michael Soulier <msoulier@digitaltorque.ca>

  • needs_better_patch changed.
  • needs_tests changed.
  • needs_docs changed.
tamper_check is a305745fe8814bc9d8c035287c6f6f67
DEBUG:django-teleworker:md5 output is 6d362166ae93f8326e90ef32a0b748ab

For some reason, the md5 sums aren't matching.

06/11/08 09:12:38 changed by Michael Soulier <msoulier@digitaltorque.ca>

This seems relevant.

http://code.djangoproject.com/wiki/ModPython

And this

http://tjulo.blogspot.com/2007/03/problems-with-md5-and-modpython.html

06/11/08 09:49:10 changed by Michael Soulier <msoulier@digitaltorque.ca>

I just patched the session middleware to use sha instead of md5, and it seems to be working.

06/17/08 05:45:05 changed by spage@nomensa.com

  • cc set to spage@nomensa.com.

Adding self to cc

08/12/08 10:35:20 changed by jacob

  • status changed from new to closed.
  • resolution set to worksforme.

I can't reproduce this on trunk. Please reopen if you have more details that help reproduce the problem.

Add/Change #7418 (session middleware claims user tampered with session cookie)




Change Properties
Action