""""
We recently committed changes to 1.4 that added signed cookie based
session storage. Session data is pickled, signed, and sent to the
client as a cookie. On receipt of the cookie, we check the signature,
unpickle, and use the data. We could use JSON instead of pickle, at
the expense of longer cookies.
I believe that our signing implementation is secure and correct.
However, I know that users of Django screw up from time to time. It's
not uncommon to see SECRET_KEY in a git repository, and that value is
often used in production. If SECRET_KEY is compromised, an attacker
can sign arbitrary cookie data. The use of pickle changes an attack
from "screw up the data in this application" to "arbitrary remote code
execution".
In light of this, we should be conservative and use JSON by
default instead of pickle.
"""
If the size of the cookie turns out to be a problem, using compressed JSON
instead of JSON is a very simple change. I tested on my crummy old laptop, and
using zlib one can compress + decompress roughly 5000 short strings in a
second. On reasonable hardware I guess that figure will be 10000-30000 per
thread. In the limit, when the compressed size is around 4Kb, one can compress
about 500 strings a second (or 1000-3000 on reasonable hardware). So, this
could cause some performance concerns in extreme cases, but probably not enough
to worry about.
The test program is simple:
import bz2
from datetime import datetime
import json
import random
import zlib
nums = [random.randint(0, 100000) for _ in range(0, 1000)]
var = json.dumps({'nums': nums})
start = datetime.now()
for i in range(0, 1000):
compressed = zlib.compress(var)
uncompressed = zlib.decompress(compressed)
print datetime.now() - start
print len(var)
print len(compressed)
Note that when compressing random integers, one will still get over 50%
compression. On more realistic data, the compression should be more.
- Anssi
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
