Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use of uuid4.hex() for token generation is not secure #12

Open
socketpair opened this issue Oct 27, 2015 · 4 comments
Open

use of uuid4.hex() for token generation is not secure #12

socketpair opened this issue Oct 27, 2015 · 4 comments

Comments

@socketpair
Copy link

binascii.b2a_base64(os.urandom(24))[:-1] is faster and much secure since:

  1. does not involve uuid, that is not suitable for secure token generations
  2. use OS provided much more secure random as opposed to python random
  3. generate 32-byte length string too, but, 64**24 = 2**144 random items, while your way generates 256**16 = 2**128 variants

it needs to be checked for special symbols like / and +
@MitchellChu
Copy link
Owner

Thanks for your comment.
in my opinion, slash and plus are legal in cookies' value.
What is the risk for generate token with base64 directly?

@socketpair
Copy link
Author

base64 is just a way to encode binary value. It have nothing common with generating random data.

@socketpair
Copy link
Author

If you ask about base64 module — it is just wrapper over binascii module — see sources. Using binascii directly is just faster in you case.

@MitchellChu
Copy link
Owner

this feature is added in version 1.1.5, thank you for your suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@socketpair @MitchellChu