On 22 Sep 2016, at 20:32, James Bennett <[email protected]> wrote:
> So personally I'd like to hear some more about why this is seen as necessary > before I'd endorse work to actually implement it. The reason why I originally filed a security report is that session stores tend to have less focus on security than databases. Of course this is a moot point when sessions are stored in the database, but I won’t start a debate about why Django still encourages this, this isn’t the point of this thread ;-) For example Redis is well known for advertising that it has no security and should only be run within a secure network. (Defense in depth, anyone?) Still a bunch of companies provide Redis as a service, usually on random EC2 instances directly reachable from the Internet. The best ones require going through an SSL endpoint and providing a password, but an attacker can still talk directly to Redis, which is concerning given its stance on security. In contrast, the authors of PostgreSQL have implemented an authentication and authorization framework. I’m not qualified to say if it’s robust, but at least it’s better than shrugging off security entirely. -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0A4424F9-DA7B-4BB7-B558-34D4B3893CC7%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
