Why are session cookies not considered sensitive?
69 views
Skip to first unread message
Tobias Bengfort
Jan 17, 2022, 4:09:07 PM1/17/22
to django-d...@googlegroups.com
Hi,
AFAIU, SafeExceptionReporterFilter takes care of removing any sensitive
data from logs. However, I today realized that this does not cover
session cookies.
In a ticket about this issue[1] it was treated not as a security issue
but more as a request for customization. That puzzled me a bit. Why are
session cookies not treated as sensitive, just like passwords are?
thanks,
tobias
[1]: https://code.djangoproject.com/ticket/29714
AFAIU, SafeExceptionReporterFilter takes care of removing any sensitive
data from logs. However, I today realized that this does not cover
session cookies.
In a ticket about this issue[1] it was treated not as a security issue
but more as a request for customization. That puzzled me a bit. Why are
session cookies not treated as sensitive, just like passwords are?
thanks,
tobias
[1]: https://code.djangoproject.com/ticket/29714
Florian Apolloner
Jan 18, 2022, 4:28:40 AM1/18/22
to Django developers (Contributions to Django itself)
Hi,
I agree that we should treat session cookies as sensitive and hide them like we do with passwords. That said, please be aware that all the SafeException reporters are best effort and it is generally not possible to have a "safe" exception.
In that sense, patches welcome but we are not going to treat this as security issue (ie no backporting).
Cheers,
Florian
Reply all
Reply to author
Forward
0 new messages