← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #17380

[Merge] lp:~wgrant/launchpad/session-sha256 into lp:launchpad

  Thread PreviousDate PreviousThread Next 
William Grant has proposed merging lp:~wgrant/launchpad/session-sha256 into lp:launchpad with lp:~wgrant/launchpad/session-sha256-compat as a prerequisite.

Commit message:
Hash session IDs with SHA-256 before they hit the database.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wgrant/launchpad/session-sha256/+merge/232857

Hash session IDs with SHA-256 before they hit the database, so a single read-only DB compromise isn't persistent.
-- 
https://code.launchpad.net/~wgrant/launchpad/session-sha256/+merge/232857
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/session-sha256 into lp:launchpad.

=== modified file 'lib/lp/services/webapp/pgsession.py'
--- lib/lp/services/webapp/pgsession.py	2014-09-01 08:05:42 +0000
+++ lib/lp/services/webapp/pgsession.py	2014-09-01 08:05:42 +0000
@@ -114,7 +114,7 @@
         # about our client id. We're doing it lazily to try and keep anonymous
         # users from having a session.
         self.store.execute(
-            "SELECT ensure_session_client_id(?)", (self.client_id,),
+            "SELECT ensure_session_client_id(?)", (self.hashed_client_id,),
             noresult=True)
         request = get_current_browser_request()
         if request is not None:
@@ -201,7 +201,7 @@
         self.session_data._ensureClientId()
         self.store.execute(
             "SELECT set_session_pkg_data(?, ?, ?, ?)",
-            (self.session_data.client_id,
+            (self.session_data.hashed_client_id,
                 self.product_id, key, pickled_value),
             noresult=True)
 

=== modified file 'lib/lp/services/webapp/tests/test_pgsession.py'
--- lib/lp/services/webapp/tests/test_pgsession.py	2014-01-30 15:04:06 +0000
+++ lib/lp/services/webapp/tests/test_pgsession.py	2014-09-01 08:05:42 +0000
@@ -5,6 +5,7 @@
 
 __metaclass__ = type
 
+import hashlib
 from unittest import TestCase
 
 from zope.publisher.browser import TestRequest
@@ -157,7 +158,7 @@
         result = store.execute(
             "SELECT client_id FROM SessionData ORDER BY client_id")
         client_ids = [row[0] for row in result]
-        self.assertEquals(client_ids, [client_id])
+        self.assertEquals(client_ids, [hashlib.sha256(client_id).hexdigest()])
 
         # The session cookie also is now set, via the same "trigger".
         self.assertNotEqual(

Follow ups

  Thread PreviousDate PreviousThread Next