Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is the session safe for sensitive data?

Tags:

django

session

django-sessions

I come from the session docs, trying to find out how safe the sessions are for sensitive data.

I want to cache remote connections, more specifically SSH connections.

The docs mention some security issues with pickle but that's not what I'm looking for.

Would the sessions store SSH authentication data in plain text (no matter it is in the database, files or wherever)?

like image 308
Adrián Avatar asked Sep 19 '13 13:09

Adrián

People also ask

How secure is session data?

The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side. Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.

Is storing data in session safe?

"Safe" is a relative word, but information stored in the _SESSION is approximately as safe as information stored in the database .. only someone who legitimately hacked your server would be able to access it. That said, sessions themselves may not be safe. A malicious user may be able fixate or hijack a session.

Which is safer cookie or session?

What is a Session? Sessions are more secure than cookies, since they're normally protected by some kind of server-side security.

1 Answers

The Django session system stores your session in the configured SESSION_ENGINE.

The most common one to use is the database, but the filesystem, a cache system or signed cookies are also options. Since everything except the cookies are on the server they should be fairly "safe" but they are only as safe as your server is.

The data is not encrypted though, but it should be noted that if someone has access to your server they will also have access to your encryption keys since your server still needs to be able to decrypt the data so it doesn't make much difference in the end. For most safety I would recommend storing the sessions (possibly encrypted) in Redis which disappears as soon as Redis shuts down.

Storing them encrypted in the cookies is a good alternative to keep the data safe, but only when using https so they cannot be sniffed. And don't forget that you will still need to encrypt it yourself.

like image 69
Wolph Avatar answered Sep 27 '22 20:09

Wolph
Sign in to Comment

Related questions

Django/Python email notification for events
How to reference signals outside of models.py
Running a standalone script doing a model query in Django with `settings/dev.py` instead of `settings.py`
Including a menu on every page in Django
Django 1.4, checking if a static file exists when DEBUG=True
Django email attachements sends as "noname"
django prefetch when listing objects in admin
Django ajax jquery file upload
Django Oscar. How to add product?
Getting NameError with Django 1.5 and IPython
Display a default value in form fields Django
Django: Require Checkbox to be ticked to Submit Form
django test RequestFactory does not include request.user
Hook available for automatic retry after deadlock in django and mysql setup
Django modelformset_factory() filtering
How to use Tivix django-cron app
Django static files are not updated
Django Angular Facebook authentication
what's meaning of orphans in django's paginator?
How to position inlines in Django Admin in the list_display property?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!