> 1. When cookies are used to carry authentication tokens or session IDs within a web application, and multiple such cookies are present, the django verify all such cookies before granting access to the user session.
What kind of verification do you expect here? if the submited session id is a valid session id?
> 2. All conflicting cookies are treated as invalid by django.
What's the question here?
> 3. If validation of any such cookie fails, the cookie treated as if it didn't exist, and the event is added to the audit log or not by django.
If this is a question then yes, user is treated as not logged in.
> 4. In django after validation of all such cookies, permission are evaluated based on the cookies for which validation succeeded.
No, permission is handled by the application and stored on db, it would be a huge security issue if the permissions were stored on the cookie
> 5. Cleartext Storage of Sensitive Information in a Cookie:info may be stored in plane of coded form And how much difficult it is to decode.
what's the question here?
> 6. Information Exposure Through Persistent Cookies:How many old or unused cookie are stored and persist in the system
If I remember correctly django stores two cookies by default, session id and language
> 7. Reliance on Cookies without Validation and Integrity Checking:- Is it doing the signing and unsigningalways for the integrity check and is this only been done by the default django framework
I didn't understand the question
> 8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it is OFF or ON and in which circumstaces this should be ON.
Don't be lazy, this one you can easily make a hello world and check yourself
> 9. Session IDs are fully validated before they may be used:how is session Id validated in django and the API used for it and how can i check in my framework
Session id's are checked if they are present on the database. Why do you want to check yourself? do you need to replace the validation?
good luck
Avraham
On Wed, Apr 27, 2016 at 8:58 AM, Samarjeet Singh <samarjeethsingh@gmail.com> wrote:
--Hi All,Your input is very much valuable ,kindly help me out regarding this.I need to have a CSDL compliance for following for a project using django framwork :-But my main concern here is how does django framework validates the session id and cookie and isit defalut in all the frameworks.I have seen the API (like signed and unsugned) also but how to ensure that my framework is doingthese checks:-
1. When cookies are used to carry authentication tokens or session IDs within a web application, and multiple such cookies are present, the django verify all such cookies before granting access to the user session. 2. All conflicting cookies are treated as invalid by django. 3. If validation of any such cookie fails, the cookie treated as if it didn't exist, and the event is added to the audit log or not by django. 4. In django after validation of all such cookies, permission are evaluated based on the cookies for which validation succeeded. 5. Cleartext Storage of Sensitive Information in a Cookie:info may be stored in plane of coded form and how much difficult it is to decode. 6. Information Exposure Through Persistent Cookies:How many old or unused cookie are stored and persist in the system 7. Reliance on Cookies without Validation and Integrity Checking:- Is it doing the signing and unsigningalways for the integrity check and is this only been done by the default django frame work. 8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it is OFF or ON and in which circumstaces this should be ON. 9. Session IDs are fully validated before they may be used:how is session Id validated in django and the API used for it and how can i check in my framework. regardssamarjeet singh
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1ad806f5-73d8-4389-866d-de3e884f4415%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFWa6tKxoTmKNc7stOTwXkDjTNsN-cHTPzTLNFSt44hWDFjRDQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment