0
0
Djangoframework~20 mins

Session security considerations in Django - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Session Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
What is the main purpose of Django's SESSION_COOKIE_SECURE setting?
In Django, what does setting SESSION_COOKIE_SECURE = True do to improve session security?
AIt automatically logs out users after a fixed time.
BIt encrypts the session data stored on the server.
CIt ensures the session cookie is only sent over HTTPS connections.
DIt stores session data in a secure database table.
Attempts:
2 left
💡 Hint
Think about how cookies are transmitted over the network.
component_behavior
intermediate
2:00remaining
What happens if SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True?
Consider this Django setting: SESSION_EXPIRE_AT_BROWSER_CLOSE = True. What is the effect on user sessions?
ASessions persist even if the user clears cookies.
BSessions expire when the user closes their browser, requiring login again next time.
CSessions expire after a fixed time regardless of browser state.
DSessions never expire unless manually cleared by the server.
Attempts:
2 left
💡 Hint
Think about how browsers handle session cookies.
🔧 Debug
advanced
3:00remaining
Why does this Django session code cause a security risk?
Examine this Django middleware snippet that sets session data: 
def process_request(self, request):
    request.session['user_role'] = 'admin'
What security risk does this code introduce?
Django
def process_request(self, request):
    request.session['user_role'] = 'admin'
AIt exposes the session cookie to JavaScript by default.
BIt causes the session to never expire.
CIt stores session data in plain text on the client side.
DIt overwrites the user role on every request, ignoring actual user permissions.
Attempts:
2 left
💡 Hint
Consider what happens if the user role is forced to 'admin' every time.
📝 Syntax
advanced
2:00remaining
Which Django session setting prevents JavaScript from accessing the session cookie?
Select the correct Django setting that makes the session cookie inaccessible to JavaScript, improving security against XSS attacks.
ASESSION_COOKIE_HTTPONLY = True
BSESSION_COOKIE_SECURE = False
CSESSION_COOKIE_SAMESITE = 'None'
DSESSION_COOKIE_AGE = 1209600
Attempts:
2 left
💡 Hint
Think about cookie flags that restrict client-side script access.
state_output
expert
3:00remaining
What is the session cookie behavior with these Django settings?
Given these Django settings: 
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
What is the combined effect on the session cookie?
AThe cookie is sent only over HTTPS, inaccessible to JavaScript, and deleted when the browser closes.
BThe cookie is sent over HTTP and HTTPS, accessible to JavaScript, and persists after browser closes.
CThe cookie is sent only over HTTPS, accessible to JavaScript, and persists after browser closes.
DThe cookie is sent over HTTP only, inaccessible to JavaScript, and deleted after a fixed time.
Attempts:
2 left
💡 Hint
Combine the effects of each setting carefully.