Tuesday, April 26, 2016

regarding Session ID and cookie validation

Hi All,

Your input is very much valuable ,kindly help me out regarding this. 

I need to have a CSDL compliance for following for a project using django framwork :-
But my main concern here is how does django framework validates the session id and cookie and is
it defalut in all the frameworks.I have seen the API (like signed and unsugned) also but how to ensure that my framework is doing
these checks:-
1. When cookies are used to carry authentication tokens or session IDs within a web application, and multiple such cookies are present, the django verify all such cookies before granting access to the user session. 
2. All conflicting cookies are treated as invalid by django.

3. If validation of any such cookie fails, the cookie treated as if it didn't exist, and the event is added to the audit log or not by django.

4. In django after validation of all such cookies, permission are evaluated based on the cookies for which validation succeeded.

5. Cleartext Storage of Sensitive Information in a Cookie:info may be stored in plane of coded form and how much difficult it is to decode. 
6. Information Exposure Through Persistent Cookies:How many old or unused cookie are stored and persist in the system 
7. Reliance on Cookies without Validation and Integrity Checking:- Is it doing the signing and unsigningalways for the integrity check and is this only been done by the default django frame work.

8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it is OFF or ON and in which circumstaces this should be ON.

9. Session IDs are fully validated before they may be used:how is session Id validated in django and the API used for it and how can i check in my framework.
 

regards 
samarjeet singh

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1ad806f5-73d8-4389-866d-de3e884f4415%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment