Reputation: 148
Are sessions safe to use to store permission information
I am currently writing an application in Django and I am looking at storing specific permission information during a user's session. The permissions are made up of the following values:
- No Permissions - 0
- Read Only - 1
- Edit - 2
- Add and Edit - 3
- Full Permission - 4
The higher the value, the better the permission a user has. If a user has only "Edit" permission for the module "Projects", I want to store that somewhere so I don't have to get Django to query the database constantly. Would it be appropriate to use the following;
request.session['project_permission'] = '2'
Or would the user be able to edit this value and sneak in a higher number like 3 or 4?
Upvotes: 2
Views: 1285
Answers (1)
Reputation: 1204
Assuming you are using Django's default sessions model backend, the user will not be able to edit any session related data.
The only information that is stored on the client side is the sessionid (in a cookie) which is the primary key to the Django Sessions table.
Django sessions table also has a column called "session_data" which stores the hashed session data (which the user will not have access to, unless they have access to your db)
I do not recommend storing permissions in sessions, there are better ways to implement this. Additionally, sessions (default django sessions model backend) data is stored in the database, so indirectly queries are being made
Upvotes: 2
Related Questions
- storing and accessing users properly in django session
- Is it safe to store OAuth credentials in request.session?
- Should I use session for saving user data? Django
- How Do I Deal With Django Session Data for Storing Users ID?
- Is the session safe for sensitive data?
- Django: Reasonable to store session data in Class Variable?
- Django Session store all sessions
- Storing session variables
- Django recommended practice for session info
- Are there any concerns in using django session to store information?