I come from the session docs, trying to find out how safe the sessions are for sensitive data.
I want to cache remote connections, more specifically SSH connections.
The docs mention some security issues with pickle but that's not what I'm looking for.
Would the sessions store SSH authentication data in plain text (no matter it is in the database, files or wherever)?
The session data itself is stored server side. The only thing that is stored on the client's computer is a cookie with a unique identifier so the server knows which session to load at the server side. Users cannot manipulate the data stored in the session itself, so in that sense, sessions are secure.
"Safe" is a relative word, but information stored in the _SESSION is approximately as safe as information stored in the database .. only someone who legitimately hacked your server would be able to access it. That said, sessions themselves may not be safe. A malicious user may be able fixate or hijack a session.
What is a Session? Sessions are more secure than cookies, since they're normally protected by some kind of server-side security.
The Django session system stores your session in the configured SESSION_ENGINE
.
The most common one to use is the database, but the filesystem, a cache system or signed cookies are also options. Since everything except the cookies are on the server they should be fairly "safe" but they are only as safe as your server is.
The data is not encrypted though, but it should be noted that if someone has access to your server they will also have access to your encryption keys since your server still needs to be able to decrypt the data so it doesn't make much difference in the end. For most safety I would recommend storing the sessions (possibly encrypted) in Redis which disappears as soon as Redis shuts down.
Storing them encrypted in the cookies is a good alternative to keep the data safe, but only when using https so they cannot be sniffed. And don't forget that you will still need to encrypt it yourself.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With