Bird
Raised Fist0
Djangoframework~5 mins

Session security considerations in Django - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of using secure cookies in Django sessions?
Secure cookies ensure that session cookies are only sent over HTTPS connections, protecting session data from being intercepted on unsecured networks.
Click to reveal answer
beginner
How does Django's SESSION_COOKIE_HTTPONLY setting improve session security?
Setting SESSION_COOKIE_HTTPONLY to True prevents JavaScript from accessing the session cookie, reducing the risk of cross-site scripting (XSS) attacks stealing session data.
Click to reveal answer
intermediate
Why should session expiration be configured carefully in Django?
Proper session expiration limits the time a session remains valid, reducing the window for attackers to reuse stolen session IDs and improving overall security.
Click to reveal answer
intermediate
What is session fixation and how can Django help prevent it?
Session fixation is an attack where an attacker sets a user's session ID to a known value. Django helps prevent this by rotating the session key after login using the cycle_key() method on the session object.
Click to reveal answer
beginner
Explain the role of CSRF protection in session security within Django.
CSRF protection prevents unauthorized commands from being transmitted from a user that the web application trusts. Django includes built-in CSRF tokens that work with sessions to protect against such attacks.
Click to reveal answer
Which Django setting ensures session cookies are only sent over HTTPS?
ASESSION_EXPIRE_AT_BROWSER_CLOSE
BSESSION_COOKIE_HTTPONLY
CCSRF_COOKIE_SECURE
DSESSION_COOKIE_SECURE
What does setting SESSION_COOKIE_HTTPONLY to True do?
APrevents JavaScript access to session cookies
BExpires session cookies immediately
CAllows cookies on all domains
DEncrypts session data in the database
How can Django help prevent session fixation attacks?
ABy using HTTP instead of HTTPS
BBy rotating the session key after login
CBy setting SESSION_COOKIE_AGE to zero
DBy disabling sessions entirely
Why is it important to set session expiration in Django?
ATo limit how long a session stays valid
BTo allow unlimited session duration
CTo disable session cookies
DTo enable JavaScript access to cookies
What role does CSRF protection play in session security?
AEncrypts session cookies
BDisables session cookies
CPrevents unauthorized commands from trusted users
DAllows cross-site requests without tokens
Describe three key settings or practices in Django that help secure user sessions.
Think about cookie security, session lifetime, and login behavior.
You got /4 concepts.
    Explain how session fixation attacks work and how Django defends against them.
    Focus on session ID control before and after login.
    You got /4 concepts.

      Practice

      (1/5)
      1. Which Django setting helps ensure session cookies are only sent over HTTPS connections?
      easy
      A. SESSION_EXPIRE_AT_BROWSER_CLOSE
      B. SESSION_COOKIE_HTTPONLY
      C. SESSION_COOKIE_SECURE
      D. SESSION_SAVE_EVERY_REQUEST

      Solution

      1. Step 1: Understand the purpose of SESSION_COOKIE_SECURE

        This setting makes sure cookies are only sent over HTTPS, protecting them from being sent over insecure connections.

      2. Step 2: Compare with other settings

        SESSION_COOKIE_HTTPONLY prevents JavaScript access, SESSION_EXPIRE_AT_BROWSER_CLOSE controls expiration, and SESSION_SAVE_EVERY_REQUEST saves session on every request, none enforce HTTPS.

      3. Final Answer:

        SESSION_COOKIE_SECURE -> Option C

      4. Quick Check:

        Secure cookie = SESSION_COOKIE_SECURE [OK]
      Hint: Secure cookies only with SESSION_COOKIE_SECURE [OK]
      Common Mistakes:
      • Confusing HTTPOnly with secure flag
      • Thinking expiration controls HTTPS
      • Assuming saving every request affects security
      2. Which of the following is the correct way to set a session cookie to be inaccessible to JavaScript in Django's settings?
      easy
      A. SESSION_COOKIE_HTTPONLY = True
      B. SESSION_COOKIE_HTTPONLY = False
      C. SESSION_COOKIE_SECURE = False
      D. SESSION_EXPIRE_AT_BROWSER_CLOSE = False

      Solution

      1. Step 1: Identify the setting controlling JavaScript access

        SESSION_COOKIE_HTTPONLY when set to True prevents JavaScript from accessing the cookie.

      2. Step 2: Confirm correct boolean value

        Setting it to True enables this protection; False would allow JavaScript access.

      3. Final Answer:

        SESSION_COOKIE_HTTPONLY = True -> Option A

      4. Quick Check:

        HTTPOnly true blocks JavaScript [OK]
      Hint: HTTPOnly True blocks JavaScript cookie access [OK]
      Common Mistakes:
      • Setting HTTPOnly to False expecting protection
      • Confusing SESSION_COOKIE_SECURE with HTTPOnly
      • Mixing expiration settings with cookie flags
      3. Given the following Django settings:
      SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

      What happens to the session cookie when the user closes their browser?
      medium
      A. The session cookie is sent over HTTP connections.
      B. The session cookie is deleted, requiring login again.
      C. The session cookie remains until manually cleared.
      D. The session cookie becomes accessible to JavaScript.

      Solution

      1. Step 1: Understand SESSION_EXPIRE_AT_BROWSER_CLOSE

        This setting makes the session cookie expire when the browser closes, deleting it.

      2. Step 2: Check other settings' effects

        SESSION_COOKIE_SECURE ensures HTTPS only, SESSION_COOKIE_HTTPONLY blocks JavaScript access, neither affects expiration on close.

      3. Final Answer:

        The session cookie is deleted, requiring login again. -> Option B

      4. Quick Check:

        Expire at close = cookie deleted [OK]
      Hint: Expire at browser close deletes session cookie [OK]
      Common Mistakes:
      • Thinking cookie persists after browser close
      • Confusing secure flag with expiration
      • Assuming HTTPOnly affects cookie lifetime
      4. You want to ensure that session cookies are not accessible via JavaScript and are only sent over HTTPS. Which of the following Django settings combinations sets both security flags to False?
      medium
      A. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False
      B. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = True
      C. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = False
      D. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = True

      Solution

      1. Step 1: Identify required settings for security

        To block JavaScript access, SESSION_COOKIE_HTTPONLY must be True. To send cookies only over HTTPS, SESSION_COOKIE_SECURE must be True.

      2. Step 2: Analyze each option

        SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False sets both to False, allowing JavaScript access and sending cookies over HTTP, which is insecure.

      3. Final Answer:

        SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False -> Option A

      4. Quick Check:

        Both flags False = insecure [OK]
      Hint: Both HTTPOnly and Secure must be True for safety [OK]
      Common Mistakes:
      • Thinking one flag alone is enough
      • Confusing True/False meanings
      • Ignoring HTTPS requirement for Secure flag
      5. You want to improve session security by expiring sessions after 15 minutes of inactivity and ensuring cookies are secure and inaccessible to JavaScript. Which Django settings combination achieves this correctly?
      hard
      A. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_EXPIRE_AT_BROWSER_CLOSE = False
      B. SESSION_COOKIE_SECURE = False, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900
      C. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = False, SESSION_COOKIE_AGE = 3600
      D. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900

      Solution

      1. Step 1: Set secure and HTTPOnly flags

        Both SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY must be True to protect cookies from insecure transport and JavaScript access.

      2. Step 2: Set session expiration time

        SESSION_COOKIE_AGE controls session lifetime in seconds; 900 seconds equals 15 minutes, which matches the requirement.

      3. Step 3: Verify other options

        The combination with SESSION_EXPIRE_AT_BROWSER_CLOSE = False (without SESSION_COOKIE_AGE) does not provide a 15-minute inactivity timeout. The one with SESSION_COOKIE_SECURE = False allows transmission over HTTP. The one with SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_AGE = 3600 permits JavaScript access and uses a 1-hour timeout.

      4. Final Answer:

        SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 -> Option D

      5. Quick Check:

        Secure + HTTPOnly + 15 min age = SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 [OK]
      Hint: Set secure, HTTPOnly true and age to 900 seconds [OK]
      Common Mistakes:
      • Forgetting to set secure flag to True
      • Using wrong expiration time units
      • Disabling HTTPOnly accidentally