Are django sessisons safe to use for mission critical signup forms?

Question

What is the best practice when designing a mission critical signup form when it comes to using django-powered sessions?

1. Is it generally considered ok to require the user to accept the session cookie?
2. Are there any tips to maximize the percent of users who can accept the session cookie?

Answer 1

We've used Django for this for almost 3 years and had zero problems. Of course you want to start with the form on an HTTPS page and not just submit to HTTPS -- it makes people feel safer.

Django doesn't play the "cookie in the URL" game like some PHP platforms, so if the user doesn't accept cookies it ain't gonna work.

Don't forget that once you have all of that sensitive data you have to handle it correctly. We only store the last 4 digits in the online database, and that's just for verification purposes. Everything else is managed through a back door connection to a separate company that handles subscription management for us.

Answer 2

Don't try and deal with credit cards in your own app. There are all sorts of security issues. Hand off to one of the firms that specialise in that area - I've used RBS Worldpay successfully, but there are plenty of others, and they all expose good APIs.