Django Securing User Session

ashraf_zolkopli

ashrafZolkopli

Posted on June 11, 2021

Django Securing User Session

Preface

One of the common attack vector for Web App is called Session Hijacking. Session Hijacking means that an authenticated user session was able to be obtain by a hacker. This usually due to Man In The Middle (MITM) attack such as when user is using a public Wi-Fi/LAN that had been compromise by the hacker.

Using HTTPS connection will encrypt the all communication between browser and server and setting a HTTP Strict Transport Security (HSTS) will make sure that all communication subsequence to the first connection between the browser and server will using HTTPS connection only. The first communication is usually cause the browser will request to a HTTP site then got redirected to a HTTPS site. HSTS also specify something called a Secure HSTS duration. This means that after x second from first contact between browser and server that set the HSTS policy will expire.

In the small chance that, your user is logged in to your website, close the window and continue to not do anything with it for the duration of x second ( HSTS second relapse ), link to the internet through a ( compromise ) public Wi-Fi, go to google and connect to your website on a HTTP page which the "hacker" is able to sniff your user session cookie and later imitate the user as an authorize use on our site.

Like I said there, there is a small chance but you never know maybe its that time of the year where all 8 planets in the solar system align just right with the wind blown from the far east with a wind speed of 100km/h hitting a small butterfly with so much force that it cause a ripple effect that will basically bring down your entire website for a month and causing a massive 100 million lawsuit. Well what I'm trying to say here is, Its better be safe then sorry.

To further reduce this attack vector, I recommend using a Django package called django-restricted-sessions. Its not a one all be all solution to our problem however, in my opinion its better to add such a package, it is so simple to implement and well you know what, you will thanks yourself one day that you implement it and if any minute chance that one day you have to stand in front of a Information Security committee, stating that you had taken all the precaution possible to secure your web app this might be one of those you need to win the case.

Anyway django-restricted-sessions isn't a bullet proof, even in its documentation state that it not perfect but it does deter the wannabe hacker from getting in so easily...

image

I guess I been talking so much about this package that we should just install and configure it...

Installing django-restrict-sessions

Just 2 line of command in your terminal is what you need:

pipenv install django-restricted-sessions
pipenv lock -r > requirement.txt

Enter fullscreen mode Exit fullscreen mode

Setting your middleware

Open the setting.py file and add a simple line:

'restrictedsessions.middleware.RestrictedSessionsMiddleware',
Enter fullscreen mode Exit fullscreen mode

make sure the middleware is located after both

'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
Enter fullscreen mode Exit fullscreen mode

like so :

MIDDLEWARE_CLASSES = [
    ....
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'restrictedsessions.middleware.RestrictedSessionsMiddleware',
    ....
]
Enter fullscreen mode Exit fullscreen mode

End

Thats it, simple as that, now your can feel a bit better about the fact that your webapp is a bit safer in the case of Session Hijacking.

💖 💪 🙅 🚩
ashraf_zolkopli
ashrafZolkopli

Posted on June 11, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related