drakken.security module#
Session security module.
- drakken.security.create_CSRF_token()#
Create CSRF token.
- Returns:
CSRF token.
- Return type:
str
- drakken.security.create_session_cookie(token)#
Create session cookie from token string.
To close session when browser closes, set SESSION_COOKIE_AGE = 0.
- Parameters:
token (str) – unique session ID.
- Returns:
For webob.Response.set_cookie().
- Return type:
dict
- drakken.security.create_session_token()#
Create session token aka session ID.
- Returns:
Session token.
- Return type:
str
- drakken.security.fast_hash(s)#
Hash string s using SHA256.
Use on session IDs etc where speed is essential.
- Parameters:
s (str) – string to be hashed.
- Returns:
Hashed input string.
- Return type:
str
- drakken.security.gensalt()#
Create salt.
- Returns:
Password salt.
- Return type:
str
- drakken.security.slow_hash(s, salt)#
Hash string s with salt.
Use on passwords and password reset tokens before storing in the database. It’s slow so don’t use on session IDs.
Note
Uses scrypt: designed to read and write randomly to a lot of memory, This kills the advantage ASICs have in cracking passwords and makes parallelization prohibitive. n,r,p values suggested by OWASP.
- Parameters:
s (str) – string to be hashed.
salt (str) – random string added to input string.
- Returns:
Hashed input string.
- Return type:
bytes
- drakken.security.verify(s, salt, h)#
Return True if string slow-hashed with salt matches hash.
- Parameters:
s (str) – string to be tested.
salt (str) – random string added to input string.
h (bytes) – hash bytes.
- Returns:
True if string + salt matches hash.
- Return type:
bool