Django 1.4.2 session key generation

I wondered why django was trying to create a unique key, so I looked it up with my neighbor.

How to create a session ID-Skotoprigonievsk communication

I couldn't find any code that took the OS pid in 1.4.2 at hand.

I have a method in django.contrib.sessions.base.SessionBase with _get_new_session_key (), but in it, get_random_string () in django.utils.crypto is used and it's probably the key-generating function.

crypto.py


def get_random_string(length=12,
                      allowed_chars='abcdefghijklmnopqrstuvwxyz'
                                    'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'):
    """
    Returns a securely generated random string.

    The default length of 12 with the a-z, A-Z, 0-9 character set returns
    a 71-bit value. log_2((26+26+10)^12) =~ 71 bits
    """
    if not using_sysrandom:
        # This is ugly, and a hack, but it makes things better than
        # the alternative of predictability. This re-seeds the PRNG
        # using a value that is hard for an attacker to predict, every
        # time a random string is required. This may change the
        # properties of the chosen random sequence slightly, but this
        # is better than absolute predictability.
        random.seed(
            hashlib.sha256(
		"%s%s%s" % (
                    random.getstate(),
                    time.time(),
                    settings.SECRET_KEY)
                ).digest())
    return ''.join([random.choice(allowed_chars) for i in range(length)])

When useng_sysramdom is False Random.getstate (), time.time () and settings.SECRET_KEY are multiplied by SHA256 as a seed.

The using_sysramdom flag is set in crypto.py to determine if random.SysRandom is available. This is the same as the content of the above blog.

crypto.py


import random
try:
    random = random.SystemRandom()
    using_sysrandom = True
except NotImplementedError:
    import warnings
    warnings.warn('A secure pseudo-random number generator is not available '
                  'on your system. Falling back to Mersenne Twister.')
    using_sysrandom = False

This is a ramdom value in the end, so I'm still wondering if it's a unique key, but I wonder if it's like this.

By the way, when I tried to make a unique value in the past, [Catalyst :: Plugin :: Session](http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Plugin-Session-0.37/lib/Catalyst/Plugin /Session.pm) I borrowed (perl).

Session.pm


my $counter;

sub session_hash_seed {
    my $c = shift;

    return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c), );
}

# ~~ snip ~~

sub generate_session_id {
    my $c = shift;

    my $digest = $c->_find_digest();
    $digest->add( $c->session_hash_seed() );
    return $digest->hexdigest;
}

I haven't applied ramdom at the end, so I think this one is more unique, but I don't know.

Recommended Posts

Django 1.4.2 session key generation
Django Foreign Key on_delete argument
Django
Write foreign key constraints in Django
Information recording memo using session in Django
Django Foreign Key Tutorial Ends in 10 Minutes