Bird
Raised Fist0
Djangoframework~5 mins

Session security considerations in Django

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Sessions keep track of users when they use a website. Securing sessions helps protect user data and stops bad people from pretending to be someone else.

When users log in to a website and you want to remember who they are safely.
When storing temporary information about a user during their visit.
When you want to prevent others from stealing a user's session and accessing their account.
When handling sensitive actions like payments or personal data changes.
When you want to make sure sessions expire after some time to reduce risks.
Syntax
Django
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_AGE = 1209600  # 2 weeks in seconds
SESSION_EXPIRE_AT_BROWSER_CLOSE = False
CSRF_COOKIE_SECURE = True

SESSION_COOKIE_SECURE makes sure cookies are sent only over HTTPS.

SESSION_COOKIE_HTTPONLY stops JavaScript from accessing session cookies, reducing some attacks.

Examples
This setting ensures the session cookie is only sent over secure HTTPS connections.
Django
SESSION_COOKIE_SECURE = True
This prevents JavaScript from reading the session cookie, helping protect against cross-site scripting attacks.
Django
SESSION_COOKIE_HTTPONLY = True
This makes the session end when the user closes their browser, improving security for shared computers.
Django
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
This sets the session to expire after 1 hour (3600 seconds).
Django
SESSION_COOKIE_AGE = 3600
Sample Program

This example shows how to set important session security settings in Django and prints their values to confirm.

Django
from django.conf import settings

# Example settings for session security
settings.SESSION_COOKIE_SECURE = True
settings.SESSION_COOKIE_HTTPONLY = True
settings.SESSION_COOKIE_AGE = 1800  # 30 minutes
settings.SESSION_EXPIRE_AT_BROWSER_CLOSE = True

print(f"SESSION_COOKIE_SECURE: {settings.SESSION_COOKIE_SECURE}")
print(f"SESSION_COOKIE_HTTPONLY: {settings.SESSION_COOKIE_HTTPONLY}")
print(f"SESSION_COOKIE_AGE (seconds): {settings.SESSION_COOKIE_AGE}")
print(f"SESSION_EXPIRE_AT_BROWSER_CLOSE: {settings.SESSION_EXPIRE_AT_BROWSER_CLOSE}")
OutputSuccess
Important Notes

Always use HTTPS on your site to keep session cookies safe during transmission.

Set SESSION_COOKIE_HTTPONLY to prevent JavaScript access to cookies.

Consider expiring sessions after a reasonable time or when the browser closes to reduce risk.

Summary

Sessions help remember users but need protection to keep data safe.

Use settings like SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY to improve security.

Expire sessions after some time or on browser close to reduce chances of misuse.

Practice

(1/5)
1. Which Django setting helps ensure session cookies are only sent over HTTPS connections?
easy
A. SESSION_EXPIRE_AT_BROWSER_CLOSE
B. SESSION_COOKIE_HTTPONLY
C. SESSION_COOKIE_SECURE
D. SESSION_SAVE_EVERY_REQUEST

Solution

  1. Step 1: Understand the purpose of SESSION_COOKIE_SECURE

    This setting makes sure cookies are only sent over HTTPS, protecting them from being sent over insecure connections.

  2. Step 2: Compare with other settings

    SESSION_COOKIE_HTTPONLY prevents JavaScript access, SESSION_EXPIRE_AT_BROWSER_CLOSE controls expiration, and SESSION_SAVE_EVERY_REQUEST saves session on every request, none enforce HTTPS.

  3. Final Answer:

    SESSION_COOKIE_SECURE -> Option C

  4. Quick Check:

    Secure cookie = SESSION_COOKIE_SECURE [OK]
Hint: Secure cookies only with SESSION_COOKIE_SECURE [OK]
Common Mistakes:
  • Confusing HTTPOnly with secure flag
  • Thinking expiration controls HTTPS
  • Assuming saving every request affects security
2. Which of the following is the correct way to set a session cookie to be inaccessible to JavaScript in Django's settings?
easy
A. SESSION_COOKIE_HTTPONLY = True
B. SESSION_COOKIE_HTTPONLY = False
C. SESSION_COOKIE_SECURE = False
D. SESSION_EXPIRE_AT_BROWSER_CLOSE = False

Solution

  1. Step 1: Identify the setting controlling JavaScript access

    SESSION_COOKIE_HTTPONLY when set to True prevents JavaScript from accessing the cookie.

  2. Step 2: Confirm correct boolean value

    Setting it to True enables this protection; False would allow JavaScript access.

  3. Final Answer:

    SESSION_COOKIE_HTTPONLY = True -> Option A

  4. Quick Check:

    HTTPOnly true blocks JavaScript [OK]
Hint: HTTPOnly True blocks JavaScript cookie access [OK]
Common Mistakes:
  • Setting HTTPOnly to False expecting protection
  • Confusing SESSION_COOKIE_SECURE with HTTPOnly
  • Mixing expiration settings with cookie flags
3. Given the following Django settings:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

What happens to the session cookie when the user closes their browser?
medium
A. The session cookie is sent over HTTP connections.
B. The session cookie is deleted, requiring login again.
C. The session cookie remains until manually cleared.
D. The session cookie becomes accessible to JavaScript.

Solution

  1. Step 1: Understand SESSION_EXPIRE_AT_BROWSER_CLOSE

    This setting makes the session cookie expire when the browser closes, deleting it.

  2. Step 2: Check other settings' effects

    SESSION_COOKIE_SECURE ensures HTTPS only, SESSION_COOKIE_HTTPONLY blocks JavaScript access, neither affects expiration on close.

  3. Final Answer:

    The session cookie is deleted, requiring login again. -> Option B

  4. Quick Check:

    Expire at close = cookie deleted [OK]
Hint: Expire at browser close deletes session cookie [OK]
Common Mistakes:
  • Thinking cookie persists after browser close
  • Confusing secure flag with expiration
  • Assuming HTTPOnly affects cookie lifetime
4. You want to ensure that session cookies are not accessible via JavaScript and are only sent over HTTPS. Which of the following Django settings combinations sets both security flags to False?
medium
A. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False
B. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = True
C. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = False
D. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = True

Solution

  1. Step 1: Identify required settings for security

    To block JavaScript access, SESSION_COOKIE_HTTPONLY must be True. To send cookies only over HTTPS, SESSION_COOKIE_SECURE must be True.

  2. Step 2: Analyze each option

    SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False sets both to False, allowing JavaScript access and sending cookies over HTTP, which is insecure.

  3. Final Answer:

    SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False -> Option A

  4. Quick Check:

    Both flags False = insecure [OK]
Hint: Both HTTPOnly and Secure must be True for safety [OK]
Common Mistakes:
  • Thinking one flag alone is enough
  • Confusing True/False meanings
  • Ignoring HTTPS requirement for Secure flag
5. You want to improve session security by expiring sessions after 15 minutes of inactivity and ensuring cookies are secure and inaccessible to JavaScript. Which Django settings combination achieves this correctly?
hard
A. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_EXPIRE_AT_BROWSER_CLOSE = False
B. SESSION_COOKIE_SECURE = False, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900
C. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = False, SESSION_COOKIE_AGE = 3600
D. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900

Solution

  1. Step 1: Set secure and HTTPOnly flags

    Both SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY must be True to protect cookies from insecure transport and JavaScript access.

  2. Step 2: Set session expiration time

    SESSION_COOKIE_AGE controls session lifetime in seconds; 900 seconds equals 15 minutes, which matches the requirement.

  3. Step 3: Verify other options

    The combination with SESSION_EXPIRE_AT_BROWSER_CLOSE = False (without SESSION_COOKIE_AGE) does not provide a 15-minute inactivity timeout. The one with SESSION_COOKIE_SECURE = False allows transmission over HTTP. The one with SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_AGE = 3600 permits JavaScript access and uses a 1-hour timeout.

  4. Final Answer:

    SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 -> Option D

  5. Quick Check:

    Secure + HTTPOnly + 15 min age = SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 [OK]
Hint: Set secure, HTTPOnly true and age to 900 seconds [OK]
Common Mistakes:
  • Forgetting to set secure flag to True
  • Using wrong expiration time units
  • Disabling HTTPOnly accidentally