regarding Session ID and cookie validation
146 views
Skip to first unread message
Samarjeet Singh
Apr 27, 2016, 6:22:42 AM4/27/16
to Django users
Hi All,
Your input is very much valuable ,kindly help me out regarding this.
But my main concern here is how does django framework validates the session id and cookie and is
it defalut in all the frameworks.I have seen the API (like signed and unsugned) also but how to ensure that my framework is doing
these checks:-
| 1. When cookies are used to carry authentication tokens or session IDs within a web application, and multiple such cookies are present, the django verify all such cookies before granting access to the user session. |
| 2. All conflicting cookies are treated as invalid by django. |
| 3. If validation of any such cookie fails, the cookie treated as if it didn't exist, and the event is added to the audit log or not by django. |
| 4. In django after validation of all such cookies, permission are evaluated based on the cookies for which validation succeeded. |
| 5. Cleartext Storage of Sensitive Information in a Cookie:info may be stored in plane of coded form and how much difficult it is to decode. |
| 6. Information Exposure Through Persistent Cookies:How many old or unused cookie are stored and persist in the system |
| 7. Reliance on Cookies without Validation and Integrity Checking:- Is it doing the signing and unsigningalways for the integrity check and is this only been done by the default django frame work. |
| 8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it is OFF or ON and in which circumstaces this should be ON. |
| 9. Session IDs are fully validated before they may be used:how is session Id validated in django and the API used for it and how can i check in my framework. |
regards
samarjeet singh
Avraham Serour
May 1, 2016, 10:04:55 AM5/1/16
to django-users
> 1. When cookies are used to carry authentication tokens or session IDs within a web application, and multiple such cookies are present, the django verify all such cookies before granting access to the user session.
What kind of verification do you expect here? if the submited session id is a valid session id?
> 2. All conflicting cookies are treated as invalid by django.
What's the question here?
> 3. If validation of any such cookie fails, the cookie treated as if it didn't exist, and the event is added to the audit log or not by django.
If this is a question then yes, user is treated as not logged in.
> 4. In django after validation of all such cookies, permission are evaluated based on the cookies for which validation succeeded.
No, permission is handled by the application and stored on db, it would be a huge security issue if the permissions were stored on the cookie
> 5. Cleartext Storage of Sensitive Information in a Cookie:info may be stored in plane of coded form And how much difficult it is to decode.
what's the question here?
> 6. Information Exposure Through Persistent Cookies:How many old or unused cookie are stored and persist in the system
If I remember correctly django stores two cookies by default, session id and language
> 7. Reliance on Cookies without Validation and Integrity Checking:- Is it doing the signing and unsigningalways for the integrity check and is this only been done by the default django framework
I didn't understand the question
> 8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it is OFF or ON and in which circumstaces this should be ON.
Don't be lazy, this one you can easily make a hello world and check yourself
> 9. Session IDs are fully validated before they may be used:how is session Id validated in django and the API used for it and how can i check in my framework
Session id's are checked if they are present on the database. Why do you want to check yourself? do you need to replace the validation?
good luck
Avraham
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1ad806f5-73d8-4389-866d-de3e884f4415%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Samarjeet Singh
May 3, 2016, 3:07:26 AM5/3/16
to Django users
thanks for the reply
what my main concern is that does django logs every bad cookie (if the cookie is not correct does it logs this ( no it does not i think) but what does it do except not letting the user to enter does it raise any exception )
what my main concern is that does django logs every bad cookie (if the cookie is not correct does it logs this ( no it does not i think) but what does it do except not letting the user to enter does it raise any exception )
Reply all
Reply to author
Forward
0 new messages