On 22 Sep 2016, at 20:32, James Bennett <ubernost...@gmail.com> wrote:
> So personally I'd like to hear some more about why this is seen as necessary
> before I'd endorse work to actually implement it.
The reason why I originally filed a security report is that session stores tend
to have less focus on security than databases.
Of course this is a moot point when sessions are stored in the database, but I
won’t start a debate about why Django still encourages this, this isn’t the
point of this thread ;-)
For example Redis is well known for advertising that it has no security and
should only be run within a secure network. (Defense in depth, anyone?) Still a
bunch of companies provide Redis as a service, usually on random EC2 instances
directly reachable from the Internet. The best ones require going through an
SSL endpoint and providing a password, but an attacker can still talk directly
to Redis, which is concerning given its stance on security.
In contrast, the authors of PostgreSQL have implemented an authentication and
authorization framework. I’m not qualified to say if it’s robust, but at least
it’s better than shrugging off security entirely.
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.