Why are session cookies not considered sensitive?

Sett 69 ganger
Hopp til første uleste melding

Tobias Bengfort

ulest,
17. jan. 2022, 16:09:0717.01.2022
til django-d...@googlegroups.com
Hi,

AFAIU, SafeExceptionReporterFilter takes care of removing any sensitive
data from logs. However, I today realized that this does not cover
session cookies.

In a ticket about this issue[1] it was treated not as a security issue
but more as a request for customization. That puzzled me a bit. Why are
session cookies not treated as sensitive, just like passwords are?

thanks,
tobias


[1]: https://code.djangoproject.com/ticket/29714

Florian Apolloner

ulest,
18. jan. 2022, 04:28:4018.01.2022
til Django developers (Contributions to Django itself)
Hi,

I agree that we should treat session cookies as sensitive and hide them like we do with passwords. That said, please be aware that all the SafeException reporters are best effort and it is generally not possible to have a "safe" exception.

In that sense, patches welcome but we are not going to treat this as security issue (ie no backporting).

Cheers,
Florian
Svar alle
Svar til forfatter
Videresend
0 nye meldinger