Dashboard > Beaker > Home > Cookie-Only Sessions
  Beaker Log In | Sign Up   View a printable version of the current page.  
  Cookie-Only Sessions
 Browse Space
Added by Ben Bangert, last edited by Ben Bangert on Mar 01, 2008  (view change)
Labels: 
(None)

About

In Beaker 0.9, cookie-based sessions were added. These purely cookie-based sessions are ideal for clustered environments or to avoid having to worry about session files cropping up in the filesystem or database. In general, usage of these types of sessions should be carefully considered against the limitations imposed by storing the session data in the cookie.

Cookie-based sessions can optionally be encrypted if the user should not be able to read the data in the cookie.

Optional Requirements

Due to the increased overhead of encryption algorithms, using cookie-based sessions with encryption requires the installation of the pycryptopp package. Installing pycryptopp first requires installation of Crypto++ 5.5.2 or higher.

How it Works

To create a secure and compact cookie containing the session, the session dict goes through the following steps:

  1. The Session dict is serialized to binary with cPickle
  2. (Optional) Binary data is encrypted with 256-bit AES-CTR encryption, then signed with a HMAC signature using SHA-256
  3. Binary session data is bin64'd for the cookie value
What about security issues with Pickle?

The pickling scheme used in Python is not considered secure. This is because in the event that someone creates a specially crafted bit of binary data, they could cause pickle to execute code upon the un-pickling.

To ensure that the pickled data is not tampered with, Beaker only lets you use cookie-based sessions in the event that SHA-256 is available (Requires Python 2.5 or pycryptopp) to sign the data. Without a valid signature, the cookie data will not be considered valid nor will an attempt be made to un-pickle it. This avoids the security issue with untrusted pickle data by establishing a way to ensure its trustable.

Using cookie-based sessions

Settings:

  1. Set the session type to 'cookie'
  2. Set a session validate_key option to a secure key
  3. (Optional) Set a session encrypt_key option to a secure key

The secret encrypt_key ideally be a randomly generated string of characters at least 10 characters in length. The session can then be used as normal, except all storage will be saved in the cookie.

Limitations & Things to Consider

  • Cookies may not exceed 4096 bytes, and attempts to store session data that hits this limit will result in an exception being raised.
  • Long cookies can incur additional latency and static resources should ensure they're on a domain not covered by the cookie to avoid slowing down static media page-loads.
Site running on a free Atlassian Confluence Open Source Project License granted to Pylons. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.3.3 Build:#645 Feb 13, 2007) - Bug/feature request - Contact Administrators