Insecurely generated token - Lifespan - Python

Insecurely generated token - Lifespan - Python

Need

Securely generate and manage session tokens with appropriate expiration times

Context

  • Usage of Python 3 for writing and executing Python code
  • Usage of Django for building web applications

Description

Non compliant code

        from django.contrib.sessions.backends.db import SessionStore

def create_session():
    session = SessionStore()
    session['last_login'] = datetime.now()
    session.set_expiry(432000)  # Expiration time set to 5 days
    session.save()
        
        

The function create_session() creates a new session using Django's SessionStore class. A session variable 'last_login' is set to the current date and time. The session is then set to expire after 432000 seconds, which is approximately 5 days.

The vulnerability here lies in the lifespan of the session token. A long-lived session token increases the window of opportunity for an attacker to hijack the session. If an attacker is able to get hold of the session token, they can impersonate the user until the session token expires. In this case, that window is 5 days, which is quite long.

Steps

  • Reduce the session token lifespan to a more secure duration. A common practice is to set it to 30 minutes or less.
  • Implement a mechanism to refresh the session token after a certain period of inactivity.
  • Consider using Django's built-in session expiration mechanism, which can be configured in the settings file.
  • Ensure that the session token is invalidated and a new one is generated after a successful login or logout.

Compliant code

        from django.contrib.sessions.backends.db import SessionStore
from django.conf import settings

def create_session():
    session = SessionStore()
    session['last_login'] = datetime.now()
    session.set_expiry(settings.SESSION_COOKIE_AGE)  # Use the session lifespan from settings
    session.save()
        
        

The original code had a vulnerability where session tokens were set to expire after 5 days. This is a security risk as it allows an attacker who has obtained a session token to use it for a prolonged period of time.

The fixed code reduces the session token lifespan to a more secure duration. The session lifespan is now set in the Django settings file using the SESSION_COOKIE_AGE variable. This is set to 1800 seconds, which is equivalent to 30 minutes. This is a common practice that strikes a balance between user convenience and security.

The set_expiry method of the SessionStore object is then used to set the expiry of the session token to the value of SESSION_COOKIE_AGE. This ensures that all session tokens have a consistent lifespan.

This fix also has the advantage of centralizing the session lifespan setting. If you need to change the session lifespan in the future, you only need to change the SESSION_COOKIE_AGE setting.

Remember to also implement a mechanism to refresh the session token after a certain period of inactivity and to invalidate and generate a new session token after a successful login or logout.

References