Vulnerability scan that got Django Bad Practices using Fortify

[sgfisme]

Hi,

I customized the freppledb/output/commands.py to apply multiprocessing for exporting operationplan based on frepple:6.19.0, and I found the vulnerability using Fortify as below:

Django Bad Practices: Cookie Stored Sessions on freppledb/settings.py: 171

Could anybody give me some suggestion for fixing this vulnerability?

[jdetaeye]

Could anybody give me some suggestion for fixing this vulnerability?

Django has multiple session backends you can choose from.
Frepple doesn't customize any of the session functionality, so using a different session backend one should be pretty easy: https://docs.djangoproject.com/en/3.2/topics/http/sessions/

You're free to choose a different implementation to handle sessions. The frepple default will stay on with cookie-based sessions.

Curious for the reasons why fortify consider this bad, google found me this page:
https://vulncat.fortify.com/en/detail?id=desc.structural.python.django_bad_practices_cookie_stored_sessions
The arguments 1 & 2 are not big issues when using https and modern browsers - the frepple cookie is well configured such that browsers treat them with the strictest possible access rights.
Arguments 3, 4 and 5 are not security arguments and are false arguments.
IMHO, this Fortify recommendation is not a vulnerability but rather an opiniated view (and probably a bit outdated).