Bird
Raised Fist0
Djangoframework~20 mins

Session security considerations in Django - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Session Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
What is the main purpose of Django's SESSION_COOKIE_SECURE setting?
In Django, what does setting SESSION_COOKIE_SECURE = True do to improve session security?
AIt automatically logs out users after a fixed time.
BIt encrypts the session data stored on the server.
CIt ensures the session cookie is only sent over HTTPS connections.
DIt stores session data in a secure database table.
Attempts:
2 left
💡 Hint
Think about how cookies are transmitted over the network.
component_behavior
intermediate
2:00remaining
What happens if SESSION_EXPIRE_AT_BROWSER_CLOSE is set to True?
Consider this Django setting: SESSION_EXPIRE_AT_BROWSER_CLOSE = True. What is the effect on user sessions?
ASessions persist even if the user clears cookies.
BSessions expire when the user closes their browser, requiring login again next time.
CSessions expire after a fixed time regardless of browser state.
DSessions never expire unless manually cleared by the server.
Attempts:
2 left
💡 Hint
Think about how browsers handle session cookies.
🔧 Debug
advanced
3:00remaining
Why does this Django session code cause a security risk?
Examine this Django middleware snippet that sets session data: 
def process_request(self, request):
    request.session['user_role'] = 'admin'
What security risk does this code introduce?
Django
def process_request(self, request):
    request.session['user_role'] = 'admin'
AIt exposes the session cookie to JavaScript by default.
BIt causes the session to never expire.
CIt stores session data in plain text on the client side.
DIt overwrites the user role on every request, ignoring actual user permissions.
Attempts:
2 left
💡 Hint
Consider what happens if the user role is forced to 'admin' every time.
📝 Syntax
advanced
2:00remaining
Which Django session setting prevents JavaScript from accessing the session cookie?
Select the correct Django setting that makes the session cookie inaccessible to JavaScript, improving security against XSS attacks.
ASESSION_COOKIE_HTTPONLY = True
BSESSION_COOKIE_SECURE = False
CSESSION_COOKIE_SAMESITE = 'None'
DSESSION_COOKIE_AGE = 1209600
Attempts:
2 left
💡 Hint
Think about cookie flags that restrict client-side script access.
state_output
expert
3:00remaining
What is the session cookie behavior with these Django settings?
Given these Django settings: 
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True
What is the combined effect on the session cookie?
AThe cookie is sent only over HTTPS, inaccessible to JavaScript, and deleted when the browser closes.
BThe cookie is sent over HTTP and HTTPS, accessible to JavaScript, and persists after browser closes.
CThe cookie is sent only over HTTPS, accessible to JavaScript, and persists after browser closes.
DThe cookie is sent over HTTP only, inaccessible to JavaScript, and deleted after a fixed time.
Attempts:
2 left
💡 Hint
Combine the effects of each setting carefully.

Practice

(1/5)
1. Which Django setting helps ensure session cookies are only sent over HTTPS connections?
easy
A. SESSION_EXPIRE_AT_BROWSER_CLOSE
B. SESSION_COOKIE_HTTPONLY
C. SESSION_COOKIE_SECURE
D. SESSION_SAVE_EVERY_REQUEST

Solution

  1. Step 1: Understand the purpose of SESSION_COOKIE_SECURE

    This setting makes sure cookies are only sent over HTTPS, protecting them from being sent over insecure connections.

  2. Step 2: Compare with other settings

    SESSION_COOKIE_HTTPONLY prevents JavaScript access, SESSION_EXPIRE_AT_BROWSER_CLOSE controls expiration, and SESSION_SAVE_EVERY_REQUEST saves session on every request, none enforce HTTPS.

  3. Final Answer:

    SESSION_COOKIE_SECURE -> Option C

  4. Quick Check:

    Secure cookie = SESSION_COOKIE_SECURE [OK]
Hint: Secure cookies only with SESSION_COOKIE_SECURE [OK]
Common Mistakes:
  • Confusing HTTPOnly with secure flag
  • Thinking expiration controls HTTPS
  • Assuming saving every request affects security
2. Which of the following is the correct way to set a session cookie to be inaccessible to JavaScript in Django's settings?
easy
A. SESSION_COOKIE_HTTPONLY = True
B. SESSION_COOKIE_HTTPONLY = False
C. SESSION_COOKIE_SECURE = False
D. SESSION_EXPIRE_AT_BROWSER_CLOSE = False

Solution

  1. Step 1: Identify the setting controlling JavaScript access

    SESSION_COOKIE_HTTPONLY when set to True prevents JavaScript from accessing the cookie.

  2. Step 2: Confirm correct boolean value

    Setting it to True enables this protection; False would allow JavaScript access.

  3. Final Answer:

    SESSION_COOKIE_HTTPONLY = True -> Option A

  4. Quick Check:

    HTTPOnly true blocks JavaScript [OK]
Hint: HTTPOnly True blocks JavaScript cookie access [OK]
Common Mistakes:
  • Setting HTTPOnly to False expecting protection
  • Confusing SESSION_COOKIE_SECURE with HTTPOnly
  • Mixing expiration settings with cookie flags
3. Given the following Django settings:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

What happens to the session cookie when the user closes their browser?
medium
A. The session cookie is sent over HTTP connections.
B. The session cookie is deleted, requiring login again.
C. The session cookie remains until manually cleared.
D. The session cookie becomes accessible to JavaScript.

Solution

  1. Step 1: Understand SESSION_EXPIRE_AT_BROWSER_CLOSE

    This setting makes the session cookie expire when the browser closes, deleting it.

  2. Step 2: Check other settings' effects

    SESSION_COOKIE_SECURE ensures HTTPS only, SESSION_COOKIE_HTTPONLY blocks JavaScript access, neither affects expiration on close.

  3. Final Answer:

    The session cookie is deleted, requiring login again. -> Option B

  4. Quick Check:

    Expire at close = cookie deleted [OK]
Hint: Expire at browser close deletes session cookie [OK]
Common Mistakes:
  • Thinking cookie persists after browser close
  • Confusing secure flag with expiration
  • Assuming HTTPOnly affects cookie lifetime
4. You want to ensure that session cookies are not accessible via JavaScript and are only sent over HTTPS. Which of the following Django settings combinations sets both security flags to False?
medium
A. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False
B. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = True
C. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = False
D. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = True

Solution

  1. Step 1: Identify required settings for security

    To block JavaScript access, SESSION_COOKIE_HTTPONLY must be True. To send cookies only over HTTPS, SESSION_COOKIE_SECURE must be True.

  2. Step 2: Analyze each option

    SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False sets both to False, allowing JavaScript access and sending cookies over HTTP, which is insecure.

  3. Final Answer:

    SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False -> Option A

  4. Quick Check:

    Both flags False = insecure [OK]
Hint: Both HTTPOnly and Secure must be True for safety [OK]
Common Mistakes:
  • Thinking one flag alone is enough
  • Confusing True/False meanings
  • Ignoring HTTPS requirement for Secure flag
5. You want to improve session security by expiring sessions after 15 minutes of inactivity and ensuring cookies are secure and inaccessible to JavaScript. Which Django settings combination achieves this correctly?
hard
A. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_EXPIRE_AT_BROWSER_CLOSE = False
B. SESSION_COOKIE_SECURE = False, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900
C. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = False, SESSION_COOKIE_AGE = 3600
D. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900

Solution

  1. Step 1: Set secure and HTTPOnly flags

    Both SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY must be True to protect cookies from insecure transport and JavaScript access.

  2. Step 2: Set session expiration time

    SESSION_COOKIE_AGE controls session lifetime in seconds; 900 seconds equals 15 minutes, which matches the requirement.

  3. Step 3: Verify other options

    The combination with SESSION_EXPIRE_AT_BROWSER_CLOSE = False (without SESSION_COOKIE_AGE) does not provide a 15-minute inactivity timeout. The one with SESSION_COOKIE_SECURE = False allows transmission over HTTP. The one with SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_AGE = 3600 permits JavaScript access and uses a 1-hour timeout.

  4. Final Answer:

    SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 -> Option D

  5. Quick Check:

    Secure + HTTPOnly + 15 min age = SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 [OK]
Hint: Set secure, HTTPOnly true and age to 900 seconds [OK]
Common Mistakes:
  • Forgetting to set secure flag to True
  • Using wrong expiration time units
  • Disabling HTTPOnly accidentally