Is the session safe for sensitive data?

Question

I come from the session docs, trying to find out how safe the sessions are for sensitive data.

I want to cache remote connections, more specifically SSH connections.

The docs mention some security issues with pickle but that's not what I'm looking for.

Would the sessions store SSH authentication data in plain text (no matter it is in the database, files or wherever)?

Answer 1

The Django session system stores your session in the configured SESSION_ENGINE.

The most common one to use is the database, but the filesystem, a cache system or signed cookies are also options. Since everything except the cookies are on the server they should be fairly "safe" but they are only as safe as your server is.

The data is not encrypted though, but it should be noted that if someone has access to your server they will also have access to your encryption keys since your server still needs to be able to decrypt the data so it doesn't make much difference in the end. For most safety I would recommend storing the sessions (possibly encrypted) in Redis which disappears as soon as Redis shuts down.

Storing them encrypted in the cookies is a good alternative to keep the data safe, but only when using https so they cannot be sniffed. And don't forget that you will still need to encrypt it yourself.