Thursday, April 28, 2016

Re: Generation of Session IDs in Django

Yes, it randomly chooses a 32-character string with characters from VALID_KEY_CHARS (which contains the lower-case characters 'a' to 'z', plus digits '0' to '9', so 36 elements).

It uses Python's random.SystemRandom if available (/dev/urandom on Linux, CryptGenRandom() on Windows), and otherwise Python's default Mersenne Twister PRNG is used, and reseeded before every call to get_random_string so it doesn't become predictable. See the source of get_random_string (https://github.com/django/django/blob/master/django/utils/crypto.py)

log2(36 ** 32) =~ about 165 bits of entropy (fewer when using the PRNG).

Greetings,
Remco Gerlich


On Thu, Apr 28, 2016 at 7:23 AM, Arun S <arun.s85@gmail.com> wrote:

Hi,

Just trying to get a few answers on the Session IDs in Django.

> how does Django Generate Session IDs/Session Keys.
It seems that Django does the following for Session Keys:

def _get_new_session_key(self):
"Returns session key that isn't being used."
while True:
session_key = get_random_string(32, VALID_KEY_CHARS)
if not self.exists(session_key):
break
return session_key

Does this mean that only a RANDOM string is chosen from the set of Valid Key Chars ??
If the Above is not the case, then
Does Django Support any Cryptographic Algorithms for Genearting Session IDs?
in that case
Which Cryptographic Algorithm does Django Uses for Session IDs and how many Bits of Entropy is used.??

Any information on this would be very helpful.

Thanks
Arun

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/eba81953-c59f-4aba-b733-e320cc6fdef8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFAGLK2i1OfvyAFK4hFT5V4Ty2zJPfpAiOh33J2TFo9SiSspDA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment