PDA

View Full Version : Pyramid Web Session Security Question



DanteAffinityXD
01-24-2016, 08:00 PM
Since trying out the developer project on here, I've been slowly drawn into the world of pythonic web application development using Pyramid and it's really been a lot of fun. However, I have a gut feeling about my code I was wondering if I could get some opinions on. When I log my users in, I use the follow method to do so - it basically uses BCrypt to check that their password matches, then saves their user id from postgres into a session variable via remember. Then, on future pages, I am grabbing their user id from the session memory, and using that to grab their permissions, and their identity. But I'm a bit concerned because I'm not sure how Pyramid stores this information. Is it possible for the user to simply modify their header id as that of another logged-in user (say an administrator) and suddenly they've elevated their own permissions? Or does pyramid magically protect against this?

Here's the code in case you're wondering,


if(user and crypto_manager.check(user.getPassword(), password)):
headers = remember(request, user.id)
self.request.session.flash("You have successfully logged in to your account.", "success")
return HTTPFound(location=came_from, headers=headers)


def groupfinder(userid, request):
userGroup = request.db.query(UserGroup.name).join(RegisteredUs er, UserGroup.id == RegisteredUser.group_id).\
group_by(UserGroup.id).filter(UserGroup.id == userid).first()

if(userGroup):
return userGroup
else:
return None

If this is as insecure as I'm thinking, would I be right in saying that a solution would be to pass over a random string to the user (alphanumeric, lower/upper with symbols), which is then validated to the database on each page? This is kind of like a long computer-generated plain-text password, with its length ensuring that statistically-speaking, the chances of two people having the same session string would be incomprehensibly small. Of course, if the above method is secure, such a password call would just be silly and downright expensive in terms of computational time.

Anyways, as I know people on here use Pyramid, I thought this might be a good place to ask this.

Thank you,
Dante ^_^

Dreae
02-05-2016, 12:51 AM
If my understanding of Pyramid is correct the function of remember is entirely dependent on the authentication policy your project is using, so the security depends on which authentication policy you've enabled. I believe Pyarmid's default authentication policy uses MD5 to sign cookies containing your session data using a secret key you provide, so it does provide some security, though if you are using the default policy you should certainly change the algorithm from the default of MD5 to something like SHA512.

Additionally, I don't know if Pyramid does any sort of cookie and encryption, and even if it does you should avoid storing any sensitive information (i.e. password hashes) in the cookies or headers sent to the client.