Use 128-bit random tokens for session keys and form tokens.

Our previous 64-bit values should still be more than secure for web applications but recommended best practice is currently 128-bit. We use URL-safe base64 encoding so the length of the tokens is only a bit longer.
2015-12-08 11:16:30 -08:00 · 2015-12-08 11:16:30 -08:00 · 410c030b50
parent 662c99f3e1
commit 410c030b50
1 changed files with 2 additions and 2 deletions
--- a/quixote/session.py
+++ b/quixote/session.py
@ -243,7 +243,7 @@ class SessionManager:
        # used with the session manager mapping interface.)
        id = None
        while id is None or self.has_session(id):
-            id = randbytes(8)  # 64-bit random number
+            id = randbytes(16)  # 128-bit random number
        return id

    def _create_session(self):
@ -552,7 +552,7 @@ class Session:
        tokens for this session.  A maximum of MAX_FORM_TOKENS are saved.
        The new token is returned.
        """
-        token = randbytes(8)
+        token = randbytes(16)
        self._form_tokens.append(token)
        extra = len(self._form_tokens) - self.MAX_FORM_TOKENS
        if extra > 0: