Bird
Raised Fist0
Djangoframework~10 mins

Session security considerations in Django - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to set a secure session cookie in Django settings.

Django
SESSION_COOKIE_[1] = True
Drag options to blanks, or click blank then click option'
Adomain
Bhttp_only
Csecure
Dage
Attempts:
3 left
💡 Hint
Common Mistakes
Using SESSION_COOKIE_HTTPONLY instead of SESSION_COOKIE_SECURE
Setting SESSION_COOKIE_SECURE to False
2fill in blank
medium

Complete the code to prevent JavaScript access to session cookies.

Django
SESSION_COOKIE_[1] = True
Drag options to blanks, or click blank then click option'
Asecure
Bdomain
Cpath
Dhttp_only
Attempts:
3 left
💡 Hint
Common Mistakes
Confusing SESSION_COOKIE_SECURE with SESSION_COOKIE_HTTPONLY
Leaving this setting as False
3fill in blank
hard

Fix the error in the middleware setting to enable session security.

Django
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    '[1]',
]
Drag options to blanks, or click blank then click option'
A'django.middleware.csrf.CsrfViewMiddleware'
B'django.middleware.common.CommonMiddleware'
C'django.middleware.locale.LocaleMiddleware'
D'django.middleware.clickjacking.XFrameOptionsMiddleware'
Attempts:
3 left
💡 Hint
Common Mistakes
Omitting CSRF middleware
Adding unrelated middleware instead
4fill in blank
hard

Fill both blanks to configure session expiration and cookie age.

Django
SESSION_COOKIE_[1] = 1209600  # Two weeks in seconds
SESSION_EXPIRE_AT_[2] = True
Drag options to blanks, or click blank then click option'
Aage
Bbrowser_close
Csecure
Dhttp_only
Attempts:
3 left
💡 Hint
Common Mistakes
Mixing up SESSION_COOKIE_AGE with secure flags
Using wrong suffixes for expiration settings
5fill in blank
hard

Fill all three blanks to create a secure session dictionary comprehension filtering active sessions.

Django
active_sessions = {session.session_key: session for session in sessions if session.expire_date [1] timezone.now() and session.session_key [2] None and session.user_id [3] 0}
Drag options to blanks, or click blank then click option'
A>
B!=
C>=
D==
Attempts:
3 left
💡 Hint
Common Mistakes
Using wrong comparison operators
Checking for equality instead of inequality

Practice

(1/5)
1. Which Django setting helps ensure session cookies are only sent over HTTPS connections?
easy
A. SESSION_EXPIRE_AT_BROWSER_CLOSE
B. SESSION_COOKIE_HTTPONLY
C. SESSION_COOKIE_SECURE
D. SESSION_SAVE_EVERY_REQUEST

Solution

  1. Step 1: Understand the purpose of SESSION_COOKIE_SECURE

    This setting makes sure cookies are only sent over HTTPS, protecting them from being sent over insecure connections.

  2. Step 2: Compare with other settings

    SESSION_COOKIE_HTTPONLY prevents JavaScript access, SESSION_EXPIRE_AT_BROWSER_CLOSE controls expiration, and SESSION_SAVE_EVERY_REQUEST saves session on every request, none enforce HTTPS.

  3. Final Answer:

    SESSION_COOKIE_SECURE -> Option C

  4. Quick Check:

    Secure cookie = SESSION_COOKIE_SECURE [OK]
Hint: Secure cookies only with SESSION_COOKIE_SECURE [OK]
Common Mistakes:
  • Confusing HTTPOnly with secure flag
  • Thinking expiration controls HTTPS
  • Assuming saving every request affects security
2. Which of the following is the correct way to set a session cookie to be inaccessible to JavaScript in Django's settings?
easy
A. SESSION_COOKIE_HTTPONLY = True
B. SESSION_COOKIE_HTTPONLY = False
C. SESSION_COOKIE_SECURE = False
D. SESSION_EXPIRE_AT_BROWSER_CLOSE = False

Solution

  1. Step 1: Identify the setting controlling JavaScript access

    SESSION_COOKIE_HTTPONLY when set to True prevents JavaScript from accessing the cookie.

  2. Step 2: Confirm correct boolean value

    Setting it to True enables this protection; False would allow JavaScript access.

  3. Final Answer:

    SESSION_COOKIE_HTTPONLY = True -> Option A

  4. Quick Check:

    HTTPOnly true blocks JavaScript [OK]
Hint: HTTPOnly True blocks JavaScript cookie access [OK]
Common Mistakes:
  • Setting HTTPOnly to False expecting protection
  • Confusing SESSION_COOKIE_SECURE with HTTPOnly
  • Mixing expiration settings with cookie flags
3. Given the following Django settings:
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

What happens to the session cookie when the user closes their browser?
medium
A. The session cookie is sent over HTTP connections.
B. The session cookie is deleted, requiring login again.
C. The session cookie remains until manually cleared.
D. The session cookie becomes accessible to JavaScript.

Solution

  1. Step 1: Understand SESSION_EXPIRE_AT_BROWSER_CLOSE

    This setting makes the session cookie expire when the browser closes, deleting it.

  2. Step 2: Check other settings' effects

    SESSION_COOKIE_SECURE ensures HTTPS only, SESSION_COOKIE_HTTPONLY blocks JavaScript access, neither affects expiration on close.

  3. Final Answer:

    The session cookie is deleted, requiring login again. -> Option B

  4. Quick Check:

    Expire at close = cookie deleted [OK]
Hint: Expire at browser close deletes session cookie [OK]
Common Mistakes:
  • Thinking cookie persists after browser close
  • Confusing secure flag with expiration
  • Assuming HTTPOnly affects cookie lifetime
4. You want to ensure that session cookies are not accessible via JavaScript and are only sent over HTTPS. Which of the following Django settings combinations sets both security flags to False?
medium
A. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False
B. SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = True
C. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = False
D. SESSION_COOKIE_HTTPONLY = True and SESSION_COOKIE_SECURE = True

Solution

  1. Step 1: Identify required settings for security

    To block JavaScript access, SESSION_COOKIE_HTTPONLY must be True. To send cookies only over HTTPS, SESSION_COOKIE_SECURE must be True.

  2. Step 2: Analyze each option

    SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False sets both to False, allowing JavaScript access and sending cookies over HTTP, which is insecure.

  3. Final Answer:

    SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_SECURE = False -> Option A

  4. Quick Check:

    Both flags False = insecure [OK]
Hint: Both HTTPOnly and Secure must be True for safety [OK]
Common Mistakes:
  • Thinking one flag alone is enough
  • Confusing True/False meanings
  • Ignoring HTTPS requirement for Secure flag
5. You want to improve session security by expiring sessions after 15 minutes of inactivity and ensuring cookies are secure and inaccessible to JavaScript. Which Django settings combination achieves this correctly?
hard
A. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_EXPIRE_AT_BROWSER_CLOSE = False
B. SESSION_COOKIE_SECURE = False, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900
C. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = False, SESSION_COOKIE_AGE = 3600
D. SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900

Solution

  1. Step 1: Set secure and HTTPOnly flags

    Both SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY must be True to protect cookies from insecure transport and JavaScript access.

  2. Step 2: Set session expiration time

    SESSION_COOKIE_AGE controls session lifetime in seconds; 900 seconds equals 15 minutes, which matches the requirement.

  3. Step 3: Verify other options

    The combination with SESSION_EXPIRE_AT_BROWSER_CLOSE = False (without SESSION_COOKIE_AGE) does not provide a 15-minute inactivity timeout. The one with SESSION_COOKIE_SECURE = False allows transmission over HTTP. The one with SESSION_COOKIE_HTTPONLY = False and SESSION_COOKIE_AGE = 3600 permits JavaScript access and uses a 1-hour timeout.

  4. Final Answer:

    SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 -> Option D

  5. Quick Check:

    Secure + HTTPOnly + 15 min age = SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_AGE = 900 [OK]
Hint: Set secure, HTTPOnly true and age to 900 seconds [OK]
Common Mistakes:
  • Forgetting to set secure flag to True
  • Using wrong expiration time units
  • Disabling HTTPOnly accidentally