thanks for the reply what my main concern is that does django logs every bad cookie (if the cookie is not correct does it logs this ( no it does not i think) but what does it do except not letting the user to enter does it raise any exception )
On Sunday, May 1, 2016 at 7:34:55 PM UTC+5:30, Avraham Serour wrote: > > > 1. When cookies are used to carry authentication tokens or session IDs > within a web application, and multiple such cookies are present, the django > verify all such cookies before granting access to the user session. > What kind of verification do you expect here? if the submited session id > is a valid session id? > > > 2. All conflicting cookies are treated as invalid by django. > What's the question here? > > > 3. If validation of any such cookie fails, the cookie treated as if it > didn't exist, and the event is added to the audit log or not by django. > If this is a question then yes, user is treated as not logged in. > > > 4. In django after validation of all such cookies, permission are > evaluated based on the cookies for which validation succeeded. > No, permission is handled by the application and stored on db, it would be > a huge security issue if the permissions were stored on the cookie > > > 5. Cleartext Storage of Sensitive Information in a Cookie:info may be > stored in plane of coded form And how much difficult it is to decode. > what's the question here? > > > 6. Information Exposure Through Persistent Cookies:How many old or > unused cookie are stored and persist in the system > If I remember correctly django stores two cookies by default, session id > and language > > > 7. Reliance on Cookies without Validation and Integrity Checking:- Is it > doing the signing and unsigningalways for the integrity check and is this > only been done by the default django framework > I didn't understand the question > > > 8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it > is OFF or ON and in which circumstaces this should be ON. > Don't be lazy, this one you can easily make a hello world and check > yourself > > > 9. Session IDs are fully validated before they may be used:how is > session Id validated in django and the API used for it and how can i check > in my framework > Session id's are checked if they are present on the database. Why do you > want to check yourself? do you need to replace the validation? > > good luck > Avraham > > > On Wed, Apr 27, 2016 at 8:58 AM, Samarjeet Singh <[email protected] > <javascript:>> wrote: > >> Hi All, >> >> Your input is very much valuable ,kindly help me out regarding this. >> >> I need to have a CSDL compliance for following for a project using django >> framwork :- >> But my main concern here is how does django framework validates the >> session id and cookie and is >> it defalut in all the frameworks.I have seen the API (like signed and >> unsugned) also but how to ensure that my framework is doing >> these checks:- >> 1. When cookies are used to carry authentication tokens or session IDs >> within a web application, and multiple such cookies are present, the django >> verify all such cookies before granting access to the user session. >> 2. All conflicting cookies are treated as invalid by django. >> >> 3. If validation of any such cookie fails, the cookie treated as if it >> didn't exist, and the event is added to the audit log or not by django. >> >> 4. In django after validation of all such cookies, permission are >> evaluated based on the cookies for which validation succeeded. >> >> 5. Cleartext Storage of Sensitive Information in a Cookie:info may be >> stored in plane of coded form and how much difficult it is to decode. >> 6. Information Exposure Through Persistent Cookies:How many old or unused >> cookie are stored and persist in the system >> 7. Reliance on Cookies without Validation and Integrity Checking:- Is it >> doing the signing and unsigningalways for the integrity check and is this >> only been done by the default django frame work. >> >> 8. Sensitive Cookie in HTTPS Session Without 'Secure' Attribute : if it >> is OFF or ON and in which circumstaces this should be ON. >> >> 9. Session IDs are fully validated before they may be used:how is session >> Id validated in django and the API used for it and how can i check in my >> framework. >> >> >> regards >> samarjeet singh >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/1ad806f5-73d8-4389-866d-de3e884f4415%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-users/1ad806f5-73d8-4389-866d-de3e884f4415%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/53187eaf-cc2b-4ebf-97a2-f84635c6d4ba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
