[web-devel] HEADS-UP: security fix, please upgrade clientsession to >=

Felipe Almeida Lessa felipe.lessa at gmail.com
Mon Oct 3 15:10:44 CEST 2011

On Mon, Oct 3, 2011 at 10:01 AM, Felipe Almeida Lessa
<felipe.lessa at gmail.com> wrote:
> With a timing attack a malicious user may be able to construct a valid
> MAC for his message.  However, the attacker is not able to recover the
> MAC key or the encryption key.  So you don't need to change your keys,
> just upgrade ASAP.

If you are really paranoid, you may worry about a malicious user that
created a valid cookie for an administrator expiring on 2030 while you
still haven't upgraded.  If have this level of security
paranoia/consciousness, you may want to generate new keys.  Just
delete client_session_key.aes before restarting your application with
the fixed clientsession >= and new, random keys will be
generated for you.

Cheers, =)


More information about the web-devel mailing list