On 22 Sep 2016, at 20:32, James Bennett <ubernost...@gmail.com> wrote:

> So personally I'd like to hear some more about why this is seen as necessary 
> before I'd endorse work to actually implement it.

The reason why I originally filed a security report is that session stores tend 
to have less focus on security than databases.

Of course this is a moot point when sessions are stored in the database, but I 
won’t start a debate about why Django still encourages this, this isn’t the 
point of this thread ;-)

For example Redis is well known for advertising that it has no security and 
should only be run within a secure network. (Defense in depth, anyone?) Still a 
bunch of companies provide Redis as a service, usually on random EC2 instances 
directly reachable from the Internet. The best ones require going through an 
SSL endpoint and providing a password, but an attacker can still talk directly 
to Redis, which is concerning given its stance on security.

In contrast, the authors of PostgreSQL have implemented an authentication and 
authorization framework. I’m not qualified to say if it’s robust, but at least 
it’s better than shrugging off security entirely.


You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to