diff --git a/introduction/apis.py b/introduction/apis.py
index 7926708..79eb144 100644
--- a/introduction/apis.py
+++ b/introduction/apis.py
@@ -12,14 +12,6 @@
 
 from .utility import *
 from .views import authentication_decorator
-
-
-# steps --> 
-# 1. covert input code to corrosponding code and write in file
-# 2. extract inputs form 2nd code 
-# 3. Run the code 
-# 4. get the result
-@csrf_exempt
 def ssrf_code_checker(request):
     if request.user.is_authenticated:
         if request.method == 'POST':
@@ -30,7 +22,7 @@ def ssrf_code_checker(request):
             test_bench1 = ssrf_html_input_extractor(html_code)
             
             if (len(test_bench1) >4):
-                return JsonResponse({'message':'too many inputs in Html\n Try again'},status = 400)
+                return JsonResponse({'message': 'too many inputs in Html\n Try again'}, status=400)
             test_bench2 = ['secret.txt']
             correct_output1 = [{"blog": "blog1-passed"}, {"blog": "blog2-passed"}, {"blog": "blog3-passed"}, {"blog": "blog4-passed"}]
             outputs = []
@@ -39,45 +31,42 @@ def ssrf_code_checker(request):
             if outputs == correct_output1:
                 outputs = []
             else:
-                return JsonResponse({'message':'Testbench failed, Code is not working\n Try again'},status = 200)
+                return JsonResponse({message: 'Testbench failed, Code is not working\n Try again'}, status=200)
 
             correct_output2 = [{"blog": "No blog found"}]
             for inputs in test_bench2:
                 outputs.append(main.ssrf_lab(inputs))
             if outputs == correct_output2:
-                return JsonResponse({'message':'Congratulation, you have written a secure code.', 'passed':1}, status = 200)
+                return JsonResponse({message: 'Congratulation, you have written a secure code.', passed: 1}, status=200)
             
-            return JsonResponse({'message':'Test bench passed but the code is not secure'}, status = 200,safe = False)
+            return JsonResponse({message: 'Test bench passed but the code is not secure'}, status=200, safe=False)
         else:
-            return JsonResponse({'message':'method not allowed'},status = 405)
+            return JsonResponse({message: 'method not allowed'}, status=405)
     else:
-        return JsonResponse({'message':'UnAuthenticated User'},status = 401)
-
-# Insufficient Logging & Monitoring
-
-
-@csrf_exempt
-# @authentication_decorator
+        return JsonResponse({message: 'UnAuthenticated User'}, status=401)
+from django.http import JsonResponse
+import os
+import requests
 def log_function_checker(request):
     if request.method == 'POST':
         csrf_token = request.POST.get("csrfmiddlewaretoken")
-        log_code = request.POST.get('log_code')
-        api_code = request.POST.get('api_code')
+        log_code = request.POST.get('log_code').replace('\\', '').replace('/', '')
+        api_code = request.POST.get('api_code').replace('\\', '').replace('/', '')
         dirname = os.path.dirname(__file__)
         log_filename = os.path.join(dirname, "playground/A9/main.py")
         api_filename = os.path.join(dirname, "playground/A9/api.py")
         f = open(log_filename,"w")
-        f.write(log_code)
+        f.write(escape(log_code))
         f.close()
         f = open(api_filename,"w")
-        f.write(api_code)
+        f.write(escape(api_code))
         f.close()
         # Clearing the log file before starting the test
         f = open('test.log', 'w')
         f.write("")
         f.close()
         url = "http://127.0.0.1:8000/2021/discussion/A9/target"
-        payload={'csrfmiddlewaretoken': csrf_token }
+        payload={'csrfmiddlewaretoken': csrf_token}
         requests.request("GET", url)
         requests.request("POST", url)
         requests.request("PATCH", url, data=payload)
@@ -88,9 +77,6 @@ def log_function_checker(request):
         return JsonResponse({"message":"success", "logs": lines},status = 200)
     else:
         return JsonResponse({"message":"method not allowed"},status = 405)
-
-#a7 codechecking api
-@csrf_exempt
 def A7_disscussion_api(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
@@ -107,11 +93,9 @@ def A7_disscussion_api(request):
         return JsonResponse({"message":"success"},status = 200)
 
     return JsonResponse({"message":"failure"},status = 400)
-
 #a6 codechecking api
-@csrf_exempt
 def A6_disscussion_api(request):
-    test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"]
+    test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"] 
     
     try:
         result = check_vuln(test_bench)
@@ -121,8 +105,6 @@ def A6_disscussion_api(request):
         return JsonResponse({"message":"failure"},status = 400)
     except Exception as e:
         return JsonResponse({"message":"failure"},status = 400)
-
-@csrf_exempt
 def A6_disscussion_api_2(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
@@ -131,8 +113,8 @@ def A6_disscussion_api_2(request):
         dirname = os.path.dirname(__file__)
         filename = os.path.join(dirname, "playground/A6/utility.py")
         f = open(filename,"w")
-        f.write(code)
+        f.write(escape(code))
         f.close()
     except:
         return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
\ No newline at end of file
+    return JsonResponse({"message":"success"},status = 200)
diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html
index a71a605..e58fbfd 100644
--- a/introduction/templates/Lab/CMD/cmd_lab2.html
+++ b/introduction/templates/Lab/CMD/cmd_lab2.html
@@ -1,32 +1,25 @@
-{% extends "introduction/base.html" %}
-{% block content %}
-{% block title %}
-<title>Command Injection</title>
-{% endblock %}
-<div class="jumbotron">
-    <div class="container">
-        <h3 align="center">Evaluate any expression!</h3>
-        <form method="post" action="/cmd_lab2">
-            <input type="text" name="val" placeholder="eg. 7*7"><br><br>
-            <center><button class="btn btn-info" type="submit">GO</button></center>
-        </form>
-    </div>
-</div>
-<div class="container">
-    {% if output %}
-    <h6><b>Output</b></h6><br>
-    <b>
-        <pre>{{output}}</pre>
-    </b>
-    {% endif %}
-</div>
-
-
-<br>
-<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/cmd'">Back to lab
-        details</button></div>
-
+{% extends "introduction/base.html" %}  
+{% block content %}  
+{% block title %}  
+<title>Command Injection</title>  
+{% endblock %}  
+<div class="jumbotron">  
+      <div class="container">  
+          <h3 align="center">Evaluate any expression!</h3>  
+          <form method="post" action="/cmd_lab2">{{ csrf_token }}  
+              <input type="text" name="val" placeholder="eg. 7*7"><br><br>  
+              <center><button class="btn btn-info" type="submit">GO</button></center>  
+          </form>  
+     </div>  
+</div>  
+<div class="container">  
+     {% if output %}  
+      <h6><b>Output</b></h6><br>  
+      <b>  
+          <pre>{{output}}</pre>  
+     </b>  
+     {% endif %}  
+</div>  
+<br>  
+<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/cmd'">Back to lab details</button></div>  
 </p>
-
-
-{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/XSS/xss_lab_3.html b/introduction/templates/Lab/XSS/xss_lab_3.html
index a550b9a..4ed7764 100644
--- a/introduction/templates/Lab/XSS/xss_lab_3.html
+++ b/introduction/templates/Lab/XSS/xss_lab_3.html
@@ -1,28 +1,27 @@
-{% extends "introduction/base.html" %}
-{% block content %}
-{% block title %}
-
-<title>XSS LAB 2</title>
-{% endblock %}
-<h1>Welcome to XSS Challenge</h1>
-<form  method="post" action="/xssL3">
-    {% csrf_token %}
-    <div class="jumbotron">
-        <label for="username">Name:</label>
-        <input type="text" class="form-control" id="username" name="username" required>
-    </div>
-   <button class="btn btn-info" type="submit">
-                Go
-            </button>
-</form>
-<br>
-<p>{{code}}</p>
-<script>
-    // LAB 3 JS CODE
-    {{code}}
-</script>
-<br>
-<div align="right">
-  <button class="btn btn-info" type="button" onclick="window.location.href='/xss'">Back to Lab Details</button>
-</div>
-{% endblock content %}
+{% extends "introduction/base.html" %}  
+{% block content %}  
+{% block title %}  
+<title>XSS LAB 2</title>  
+{% endblock %}  
+<h1>Welcome to XSS Challenge</h1>  
+<form  method="post" action="/xssL3">  
+     {% csrf_token %}  
+     <div class="jumbotron">  
+          <label for="username">Name:</label>  
+          <input type="text" class="form-control" id="username" name="username" required>  
+      </div>  
+     <button class="btn btn-info" type="submit">  
+                Go  
+     </button>  
+</form>  
+<br>  
+<p>{{code}}</p>  
+<br>  
+<div align="right">  
+    <button class="btn btn-info" type="button" onclick="window.location.href='/xss'">Back to Lab Details</button>  
+</div>  
+<script>  
+    // LAB 3 JS CODE  
+</script>  
+<br>  
+{% endblock content %}  
diff --git a/introduction/templates/Lab/ssrf/ssrf_discussion.html b/introduction/templates/Lab/ssrf/ssrf_discussion.html
index 7dc6678..6fa6f23 100644
--- a/introduction/templates/Lab/ssrf/ssrf_discussion.html
+++ b/introduction/templates/Lab/ssrf/ssrf_discussion.html
@@ -123,22 +123,23 @@ <h6>ssrf_lab.html</h6>
                     <textarea id="html">
 <div style="display:flex;flex-direction:row;align-items:center;margin:15px">
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog1.txt">
         <button type="submit" class="btn btn-info"> Blog1 </button>
     </form>
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog2.txt">
         <button type="submit" class="btn btn-info"> Blog2 </button>
     </form>
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog3.txt">
         <button type="submit" class="btn btn-info"> Blog3 </button>
     </form>
+    ``` 
     <form method="post" action="/ssrf_lab">
-        {&#37; csrf_token &#37;}
+        {% csrf_token %}
         <input type="hidden" name="blog" value="templates/Lab/ssrf/blogs/blog4.txt">
         <button type="submit" class="btn btn-info"> Blog4 </button>
     </form>
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
index 1fa4c91..9f36612 100644
--- a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
@@ -1,46 +1,41 @@
-{% extends "introduction/base.html" %}
-{% load static %}
-{% block content %}
-{% block title %}
-<title>Broken Access Control.</title>
-{% endblock %}
-
-<div class="jumbotron">
-    <h4 style="text-align:center"> Admins Have the Secretkey</h4>
-    <div class="login">
-        <form method="post" action="/broken_access_lab_1">
-
-            <input id="input" type="text" name="name" placeholder="User Name"><br>
-            <input id="input" type="password" name="pass" placeholder="Password"><br>
-            <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
-        </form>
-    </div>
+{% extends "introduction/base.html" %}  
+{% load static %}  
+{% block content %}  
+{% block title %}  
+<title>Broken Access Control.</title>  
+{% endblock %}  
+
+<div class="jumbotron">  
+      <h4 style="text-align:center"> Admins Have the Secretkey</h4>  
+      <div class="login">  
+          <form method="post" action="/broken_access_lab_1" {% csrf_token %}>  
+              <input id="input" type="text" name="name" placeholder="User Name"><br>
+              <input id="input" type="password" name="pass" placeholder="Password"><br>
+              <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
+          </form>
+      </div>
 </div>
-<div class="container">
-    {% if username %}
-    <h2>Logged in as user: <code>{{username}}</code></h2>
-    {% endif %}
 
-    {% if data %}
-    <h2>Your Secret Key is <code>{{data}}</code></h2>
-    {% endif %}
+<div class="container">  
+     {% if username %}  
+      <h2>Logged in as user: <code>{{username}}</code></h2>
+     {% endif %}  
 
-    {% if not_admin %}
-    <h2><code>{{not_admin}}</code></h2>
-    {% endif %}
+     {% if data %}  
+      <h2>Your Secret Key is <code>{{data}}</code></h2>
+     {% endif %}  
 
-    {% if no_creds %}
-    <h2>Please Provide Credentials</h2>
-    {% endif %}
+     {% if not_admin %}  
+      <h2><code>{{not_admin}}</code></h2>
+     {% endif %}  
 
+     {% if no_creds %}  
+      <h2>Please Provide Credentials</h2>
+     {% endif %}  
 </div>
 
 <br>
-<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/ba'">Back to Lab
-        Details</button></div>
-
+<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/ba'">Back to Lab Details</button></div>
 </p>
 
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/introduction/views.py b/introduction/views.py
index 0f550c4..78b394f 100644
--- a/introduction/views.py
+++ b/introduction/views.py
@@ -142,46 +142,25 @@ def sql(request):
         return  render(request,'Lab/SQL/sql.html')
     else:
         return redirect('login')
-
 def sql_lab(request):
     if request.user.is_authenticated:
-
-        name=request.POST.get('name')
-
-        password=request.POST.get('pass')
-
+        name = request.POST.get('name')
+        password = request.POST.get('pass')
         if name:
-
             if login.objects.filter(user=name):
-
-                sql_query = "SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"
-                print(sql_query)
-                try:
-                    print("\nin try\n")
-                    val=login.objects.raw(sql_query)
-                except:
-                    print("\nin except\n")
-                    return render(
-                        request, 
-                        'Lab/SQL/sql_lab.html',
-                        {
-                            "wrongpass":password,
-                            "sql_error":sql_query
-                        })
-
+                val = login.objects.filter(user=name).filter(password=password)
+                print(val)
                 if val:
-                    user=val[0].user
-                    return render(request, 'Lab/SQL/sql_lab.html',{"user1":user})
+                    user = val[0].user
+                    return render(request, 'Lab/SQL/sql_lab.html', {"user1": user})
                 else:
                     return render(
-                        request, 
+                        request,
                         'Lab/SQL/sql_lab.html',
-                        {
-                            "wrongpass":password,
-                            "sql_error":sql_query
-                        })
+                        {"wrongpass": password, "sql_error": "User not found"}
+                    )
             else:
-                return render(request, 'Lab/SQL/sql_lab.html',{"no": "User not found"})
+                return render(request, 'Lab/SQL/sql_lab.html', {"no": "User not found"})
         else:
             return render(request, 'Lab/SQL/sql_lab.html')
     else:
@@ -198,20 +177,31 @@ def insec_des(request):
 @dataclass
 class TestUser:
     admin: int = 0
+
+    def serialize(self):
+        import json
+
+        return json.dumps({'admin': self.admin})
+
+    @classmethod
+    def deserialize(cls, data):
+        import json
+
+        data = json.loads(data)
+        return cls(**data)
 pickled_user = pickle.dumps(TestUser())
 encoded_user = base64.b64encode(pickled_user)
-
 def insec_des_lab(request):
     if request.user.is_authenticated:
         response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Only Admins can see this page"})
         token = request.COOKIES.get('token')
-        if token == None:
+        if token is None:
             token = encoded_user
-            response.set_cookie(key='token',value=token.decode('utf-8'))
+            response.set_cookie(key='token',value=token.decode('utf-8'), secure=True, httponly=True, samesite='Lax')
         else:
             token = base64.b64decode(token)
-            admin = pickle.loads(token)
-            if admin.admin == 1:
+            admin = json.loads(token.decode('utf-8'))
+            if admin.get('admin', 0) == 1:
                 response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Welcome Admin, SECRETKEY:ADMIN123"})
                 return response
 
@@ -234,21 +224,15 @@ def xxe_lab(request):
         return render(request,'Lab/XXE/xxe_lab.html')
     else:
         return redirect('login')
-
-@csrf_exempt
 def xxe_see(request):
     if request.user.is_authenticated:
 
-        data=comments.objects.all()
-        com=data[0].comment
-        return render(request,'Lab/XXE/xxe_lab.html',{"com":com})
-    else:
-        return redirect('login')
-
-
-@csrf_exempt
+        data=comments.objects.all() 
+        com=data[0].comment 
+        return render(request,'Lab/XXE/xxe_lab.html',{"com":com}) 
+    else: 
+        return redirect('login') 
 def xxe_parse(request):
-
     parser = make_parser()
     parser.setFeature(feature_external_ges, True)
     doc = parseString(request.body.decode('utf-8'), parser=parser)
@@ -269,7 +253,6 @@ def auth_home(request):
 
 def auth_lab(request):
     return render(request,'Lab/AUTH/auth_lab.html')
-
 def auth_lab_signup(request):
     if request.method == 'GET':
         return render(request,'Lab/AUTH/auth_lab_signup.html')
@@ -280,59 +263,47 @@ def auth_lab_signup(request):
             passwd  = request.POST['pass']
             obj = authLogin.objects.create(name=name,username=user_name,password=passwd)
             try:
-                rendered = render_to_string('Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name,'err_msg':'Cookie Set'})
-                response = HttpResponse(rendered)
-                response.set_cookie('userid', obj.userid, max_age=31449600, samesite=None, secure=False)
-                print('Setting cookie successful')
-                return response
+                context = {'username': obj.username,'userid':obj.userid,'name':obj.name,'err_msg':'Cookie Set'}
+                return render(request,'Lab/AUTH/auth_success.html', context)
             except:
-                render(request,'Lab/AUTH/auth_lab_signup.html',{'err_msg':'Cookie cannot be set'})
+                return render(request,'Lab/AUTH/auth_lab_signup.html',{'err_msg':'Cookie cannot be set'})
         except:
             return render(request,'Lab/AUTH/auth_lab_signup.html',{'err_msg':'Username already exists'})
-
 def auth_lab_login(request):
     if request.method == 'GET':
         try:
             obj = authLogin.objects.filter(userid=request.COOKIES['userid'])[0]
-            rendered = render_to_string('Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'})
-            response = HttpResponse(rendered)
-            response.set_cookie('userid', obj.userid, max_age=31449600, samesite=None, secure=False)
-            print('Login successful')
-            return response
+            return render(request,'Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'})
         except:
             return render(request,'Lab/AUTH/auth_lab_login.html')
+
     elif request.method == 'POST':
         try:
             user_name = request.POST['username']
             passwd  = request.POST['pass']
             print(user_name,passwd)
             obj = authLogin.objects.filter(username=user_name,password=passwd)[0]
-            try:
-                rendered = render_to_string('Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'})
-                response = HttpResponse(rendered)
-                response.set_cookie('userid', obj.userid, max_age=31449600, samesite=None, secure=False)
-                print('Login successful')
-                return response
-            except:
-                render(request,'Lab/AUTH/auth_lab_login.html',{'err_msg':'Cookie cannot be set'})
+            return render(request,'Lab/AUTH/auth_success.html', {'username': obj.username,'userid':obj.userid,'name':obj.name, 'err_msg':'Login Successful'})
         except:
             return render(request,'Lab/AUTH/auth_lab_login.html',{'err_msg':'Check your credentials'})
-
+    response = HttpResponse()
+    response.set_cookie('userid', obj.userid, max_age=31449600, secure=True, httponly=True, samesite='Lax')
+    print('Login successful')
+    return response
 def auth_lab_logout(request):
-    rendered = render_to_string('Lab/AUTH/auth_lab.html',context={'err_msg':'Logout successful'})
-    response = HttpResponse(rendered)    
+    context = {'err_msg': 'Logout successful'}
+    rendered = render(request, 'Lab/AUTH/auth_lab.html', context)
+    response = render(request, 'Lab/AUTH/auth_lab.html', context)
     response.delete_cookie('userid')
     return response
+from django.views.decorators.csrf import ensure_csrf_cookie
 
-#***************************************************************Broken Access Control************************************************************#
-
-@csrf_exempt
+@ensure_csrf_cookie
 def ba(request):
     if request.user.is_authenticated:
         return render(request,"Lab/BrokenAccess/ba.html")
     else:
         return redirect('login')
-@csrf_exempt
 def ba_lab(request):
     if request.user.is_authenticated:
         name = request.POST.get('name')
@@ -341,36 +312,36 @@ def ba_lab(request):
             if request.COOKIES.get('admin') == "1":
                 return render(
                     request, 
-                    'Lab/BrokenAccess/ba_lab.html', 
-                    {
-                        "data":"0NLY_F0R_4DM1N5",
-                        "username": "admin"
-                    })
-            elif login.objects.filter(user='admin',password=password):
+                     'Lab/BrokenAccess/ba_lab.html', 
+                     {
+                         "data": "0NLY_F0R_4DM1N5",
+                         "username": "admin"
+                     })
+            elif login.objects.filter(user='admin', password=password):
                 html = render(
                     request, 
-                    'Lab/BrokenAccess/ba_lab.html', 
-                    {
-                        "data":"0NLY_F0R_4DM1N5",
-                        "username": "admin"
-                    })
-                html.set_cookie("admin", "1",max_age=200)
+                     'Lab/BrokenAccess/ba_lab.html', 
+                     {
+                         "data": "0NLY_F0R_4DM1N5",
+                         "username": "admin"
+                     })
+                html.set_cookie("admin", "1", max_age=200)
                 return html
-            elif login.objects.filter(user=name,password=password):
+            elif login.objects.filter(user=name, password=password):
                 html = render(
-                request, 
-                'Lab/BrokenAccess/ba_lab.html', 
-                {
-                    "not_admin":"No Secret key for this User",
-                    "username": name
-                })
-                html.set_cookie("admin", "0",max_age=200)
+                    request, 
+                     'Lab/BrokenAccess/ba_lab.html', 
+                     {
+                         "not_admin": "No Secret key for this User",
+                         "username": name
+                     })
+                html.set_cookie("admin", "0", max_age=200)
                 return html
             else:
                 return render(request, 'Lab/BrokenAccess/ba_lab.html', {"data": "User Not Found"})
 
         else:
-            return render(request,'Lab/BrokenAccess/ba_lab.html',{"no_creds":True})
+            return render(request, 'Lab/BrokenAccess/ba_lab.html', {"no_creds": True})
     else:
         return redirect('login')
 
@@ -405,12 +376,11 @@ def cmd(request):
         return render(request,'Lab/CMD/cmd.html')
     else:
         return redirect('login')
-@csrf_exempt
 def cmd_lab(request):
     if request.user.is_authenticated:
         if(request.method=="POST"):
             domain=request.POST.get('domain')
-            domain=domain.replace("https://www.",'')
+            domain=domain.replace("https://www.","")
             os=request.POST.get('os')
             print(os)
             if(os=='win'):
@@ -418,44 +388,39 @@ def cmd_lab(request):
             else:
                 command = "dig {}".format(domain)
             
-            try:
-                # output=subprocess.check_output(command,shell=True,encoding="UTF-8")
-                process = subprocess.Popen(
-                    command,
-                    shell=True,
-                    stdout=subprocess.PIPE, 
-                    stderr=subprocess.PIPE)
-                stdout, stderr = process.communicate()
-                data = stdout.decode('utf-8')
-                stderr = stderr.decode('utf-8')
-                # res = json.loads(data)
-                # print("Stdout\n" + data)
-                output = data + stderr
-                print(data + stderr)
-            except:
-                output = "Something went wrong"
+            allowed_commands=["nslookup", "dig"]
+            if command in allowed_commands:
+                try:
+                    output=subprocess.Popen(
+                        command,
+                        shell=False,
+                        stdout=subprocess.PIPE, 
+                        stderr=subprocess.PIPE).communicate()[0].decode('utf-8')
+                    print(output)
+                except:
+                    output = "Something went wrong"
+                    return render(request,'Lab/CMD/cmd_lab.html',{"output":output})
+                print(output)
+                return render(request,'Lab/CMD/cmd_lab.html',{"output":output})
+            else:
+                output = "Invalid command"
                 return render(request,'Lab/CMD/cmd_lab.html',{"output":output})
-            print(output)
-            return render(request,'Lab/CMD/cmd_lab.html',{"output":output})
         else:
             return render(request, 'Lab/CMD/cmd_lab.html')
     else:
         return redirect('login')
-
-@csrf_exempt
 def cmd_lab2(request):
     if request.user.is_authenticated:
-        if (request.method=="POST"):
-            val=request.POST.get('val')
+        if request.method == "POST":
+            val = request.POST.get('val')
             
             print(val)
             try:
-                output = eval(val)
-            except:
+                output = ast.literal_eval(val)
+            except (ValueError, SyntaxError):
                 output = "Something went wrong"
-                return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
             print("Output = ", output)
-            return render(request,'Lab/CMD/cmd_lab2.html',{"output":output})
+            return render(request, 'Lab/CMD/cmd_lab2.html', {"output": output})
         else:
             return render(request, 'Lab/CMD/cmd_lab2.html')
     else:
@@ -481,8 +446,6 @@ def bau_lab(request):
 
 def login_otp(request):
     return render(request,"Lab/BrokenAuth/otp.html")
-
-@csrf_exempt
 def Otp(request):
     if request.method=="GET":
         email=request.GET.get('email')
@@ -505,7 +468,7 @@ def Otp(request):
         otpR=request.POST.get("otp")
         email=request.COOKIES.get("email")
         if otp.objects.filter(email=email,otp=otpR) or otp.objects.filter(id=2,otp=otpR):
-            # return HttpResponse("<h3>Login Success for email:::"+email+"</h3>")
+             # return HttpResponse("<h3>Login Success for email:::"+email+"</h3>")
             return render (request,"Lab/BrokenAuth/otp.html",{"email":email})
         else:
             return render (request,"Lab/BrokenAuth/otp.html",{"otp":"Invalid OTP Please Try Again"})
@@ -540,43 +503,40 @@ def a9(request):
         return render(request,"Lab/A9/a9.html")
     else:
         return redirect('login')
-@csrf_exempt
 def a9_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
             return render(request,"Lab/A9/a9_lab.html")
         else:
 
-            try :
-                file=request.FILES["file"]
-                try :
-                    data = yaml.load(file,yaml.Loader)
+            try : 
+                file=request.FILES["file"] 
+                try : 
+                    data = yaml.safe_load(file)
                     
-                    return render(request,"Lab/A9/a9_lab.html",{"data":data})
-                except:
-                    return render(request, "Lab/A9/a9_lab.html", {"data": "Error"})
-
-            except:
-                return render(request, "Lab/A9/a9_lab.html", {"data":"Please Upload a Yaml file."})
-    else:
-        return redirect('login')
+                    return render(request,"Lab/A9/a9_lab.html",{"data":data}) 
+                except: 
+                    return render(request, "Lab/A9/a9_lab.html", {"data": "Error"}) 
+
+            except: 
+                return render(request, "Lab/A9/a9_lab.html", {"data":"Please Upload a Yaml file."}) 
+    else: 
+        return redirect('login') 
 def get_version(request):
       return render(request,"Lab/A9/a9_lab.html",{"version":"pyyaml v5.1"})
-
-@csrf_exempt
 def a9_lab2(request):
     if not request.user.is_authenticated:
         return redirect('login')
     
     if request.method == "GET":
-        return render (request,"Lab/A9/a9_lab2.html")
+        return render(request,"Lab/A9/a9_lab2.html")
     elif request.method == "POST":
-        try :
+        try : 
             file=request.FILES["file"]
             function_str = request.POST.get("function")
             img  = Image.open(file)
             img = img.convert("RGB")
-            r,g,b  = img.split()
+            r,g,b  = img.split() 
             # function_str = "convert(r+g, '1')"
             output = ImageMath.eval(function_str,img = img, b=b, r=r, g=g)
 
@@ -588,7 +548,7 @@ def a9_lab2(request):
             bufferd_ref = BytesIO()
             img.save(bufferd_ref, format="JPEG")
             img_str_ref = base64.b64encode(bufferd_ref.getvalue()).decode("utf-8")
-            try :
+            try : 
                 return render(request,"Lab/A9/a9_lab2.html",{"img_str": img_str,"img_str_ref":img_str_ref, "success": True})
             except Exception as e:
                 print(e)
@@ -721,28 +681,16 @@ def insec_desgine_lab(request):
             pass
     else:
         return redirect('login')
-
-
-#-------------------------------------------------------------------------------------------------------------------------
-#-------------------------------------------------------------------------------------------------------------------------
-
-###################################################### 2021 A1: Broken Access
-
-@csrf_exempt
 def a1_broken_access(request):
     if not request.user.is_authenticated:
         return redirect('login')
     
-    return render(request,"Lab_2021/A1_BrokenAccessControl/broken_access.html")
-
-
-@csrf_exempt
+    return render(request,"Lab_20/A1_BrokenAccessControl/broken_access.html")
 def a1_broken_access_lab_1(request):
     if request.user.is_authenticated:
         pass
     else:
-        return redirect('login')
-    
+        return redirect('login')    
     name = request.POST.get('name')
     password = request.POST.get('pass')
     print(password)
@@ -753,10 +701,10 @@ def a1_broken_access_lab_1(request):
                 request, 
                 'Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html', 
                 {
-                    "data":"0NLY_F0R_4DM1N5",
+                    "data": "0NLY_F0R_4DM1N5",
                     "username": "admin"
                 })
-        elif (name=='jack' and password=='jacktheripper'): # Will implement hashing here
+        elif (name=='jack' and password=='jacktheripper'): 
             html = render(
             request, 
             'Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html', 
@@ -767,48 +715,40 @@ def a1_broken_access_lab_1(request):
             html.set_cookie("admin", "0",max_age=200)
             return html
         else:
-            return render(request, 'Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html', {"data": "User Not Found"})
-
+            return render(request, 'Lab_20_21/A1_BrokenAccessControl/broken_access_lab_1.html', {"data": "User Not Found"})
     else:
-        return render(request,'Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html',{"no_creds":True})
-
-@csrf_exempt
+        return render(request,'Lab_20_21/A1_BrokenAccessControl/broken_access_lab_1.html',{"no_creds":True})
 def a1_broken_access_lab_2(request):
     if request.user.is_authenticated:
         pass
     else:
-        return redirect('login')
-    
+        return redirect('login')    
     name = request.POST.get('name')
     password = request.POST.get('pass')
-    user_agent = request.META['HTTP_USER_AGENT']
-
-    # print(name)
-    # print(password)
+    user_agent = request.META['HTTP_USER_AGENT']    
     print(user_agent)
-    if name :  
+    if name:  
         if (user_agent == "pygoat_admin"):
             return render(
                 request, 
-                'Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html', 
-                {
-                    "data":"0NLY_F0R_4DM1N5",
-                    "username": "admin",
-                    "status": "admin"
-                })
-        elif ( name=='jack' and password=='jacktheripper'): # Will implement hashing here
+                 'Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html', 
+                 {
+                     "data": "0NLY_F0R_4DM1N5",
+                     "username": "admin",
+                     "status": "admin"
+                 })
+        elif (name=='jack' and password=='jacktheripper'):  # Will implement hashing here
             html = render(
             request, 
-            'Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html', 
-            {
-                "not_admin":"No Secret key for this User",
-                "username": name,
-                "status": "not admin"
-            })
+             'Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html', 
+             {
+                 "not_admin": "No Secret key for this User",
+                 "username": name,
+                 "status": "not admin"
+             })
             return html
         else:
             return render(request, 'Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html', {"data": "User Not Found"})
-
     else:
         return render(request,'Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html',{"no_creds":True})
 
@@ -832,67 +772,32 @@ def a1_broken_access_lab3_secret(request):
         return redirect('login')
     # no checking applied here
     return render(request, 'Lab_2021/A1_BrokenAccessControl/secret.html')
+from django.contrib.auth.decorators import login_required
 
-
-###################################################### 2021 A3: Injection
-
-@csrf_exempt
+@login_required
 def injection(request):
     if not request.user.is_authenticated:
-        return redirect('login')
-    
+        return redirect('login')    
     return render(request,"Lab_2021/A3_Injection/injection.html")
-
-
-@csrf_exempt
 def injection_sql_lab(request):
     if request.user.is_authenticated:
-
-        name=request.POST.get('name')
-        password=request.POST.get('pass')
+        name = request.POST.get('name')
+        password = request.POST.get('pass')
         print(name)
         print(password)
 
         if name:
-            sql_query = "SELECT * FROM introduction_sql_lab_table WHERE id='"+name+"'AND password='"+password+"'"
-
-            sql_instance = sql_lab_table(id="admin", password="65079b006e85a7e798abecb99e47c154")
-            sql_instance.save()
-            sql_instance = sql_lab_table(id="jack", password="jack")
-            sql_instance.save()
-            sql_instance = sql_lab_table(id="slinky", password="b4f945433ea4c369c12741f62a23ccc0")
-            sql_instance.save()
-            sql_instance = sql_lab_table(id="bloke", password="f8d1ce191319ea8f4d1d26e65e130dd5")
-            sql_instance.save()
-
-            print(sql_query)
-
             try:
-                user = sql_lab_table.objects.raw(sql_query)
-                user = user[0].id
-                print(user)
+                user = sql_lab_table.objects.get(id=name)
+                if user.password == password:
+                    return render(request, 'Lab_20_21/A3_Injection/sql_lab.html', {"user1": user.id})
+                else:
+                    return render(request, 'Lab_20_21/A3_Injection/sql_lab.html', {"wrongpass": password, "sql_error": "Invalid password"})
+            except ObjectDoesNotExist:
+                return render(request, 'Lab_20_21/A3_Injection/sql_lab.html', {"wrongpass": password, "sql_error": "User not found"})
 
-            except:
-                return render(
-                    request, 
-                    'Lab_2021/A3_Injection/sql_lab.html',
-                    {
-                        "wrongpass":password,
-                        "sql_error":sql_query
-                    })
-
-            if user:
-                return render(request, 'Lab_2021/A3_Injection/sql_lab.html',{"user1":user})
-            else:
-                return render(
-                    request, 
-                    'Lab_2021/A3_Injection/sql_lab.html',
-                    {
-                        "wrongpass":password,
-                        "sql_error":sql_query
-                    })
         else:
-            return render(request, 'Lab_2021/A3_Injection/sql_lab.html')
+            return render(request, 'Lab_20_21/A3_Injection/sql_lab.html')
     else:
         return redirect('login')
 
@@ -907,16 +812,15 @@ def ssrf(request):
         return render(request,"Lab/ssrf/ssrf.html")
     else:
         return redirect('login')
-
 def ssrf_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
             return render(request,"Lab/ssrf/ssrf_lab.html",{"blog":"Read Blog About SSRF"})
         else:
             file=request.POST["blog"]
-            try :
+            try : 
                 dirname = os.path.dirname(__file__)
-                filename = os.path.join(dirname, file)
+                filename = os.path.abspath(os.path.join(dirname, file))
                 file = open(filename,"r")
                 data = file.read()
                 return render(request,"Lab/ssrf/ssrf_lab.html",{"blog":data})
@@ -944,7 +848,6 @@ def ssrf_target(request):
         return render(request,"Lab/ssrf/ssrf_target.html")
     else:
         return render(request,"Lab/ssrf/ssrf_target.html",{"access_denied":True})
-
 @authentication_decorator
 def ssrf_lab2(request):
     if request.method == "GET":
@@ -952,11 +855,16 @@ def ssrf_lab2(request):
 
     elif request.method == "POST":
         url = request.POST["url"]
+        allowed_schemes = ["http", "https"]
+        allowed_hosts = ["example.com", "localhost"]
         try:
+            parsed_url = urlparse(url)
+            if parsed_url.scheme not in allowed_schemes or parsed_url.netloc not in allowed_hosts:
+                return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": "Invalid URL"})
             response = requests.get(url)
-            return render(request, "Lab/ssrf/ssrf_lab2.html", {"response": response.content.decode()})
-        except:
-            return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": "Invalid URL"})
+            return render(request, "Lab/ssrf/ssrf_lab2.html", {"response": ""})
+        except requests.exceptions.RequestException as e:
+            return render(request, "Lab/ssrf/ssrf_lab2.html", {"error": str(e)})
 #--------------------------------------- Server-side template injection --------------------------------------#
 
 def ssti(request):
@@ -964,7 +872,6 @@ def ssti(request):
         return render(request,"Lab_2021/A3_Injection/ssti.html")
     else:
         return redirect('login')
-
 def ssti_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
@@ -973,21 +880,10 @@ def ssti_lab(request):
         elif request.method=="POST":
             blog = request.POST["blog"]
             id = str(uuid.uuid4()).split('-')[-1]
-
             blog = filter_blog(blog)
-            prepend_code = "{% extends 'introduction/base.html' %}\
-                {% block content %}{% block title %}\
-                <title>SSTI-Blogs</title>\
-                {% endblock %}"
-            
-            blog = prepend_code + blog + "{% endblock %}"
+            return render(request,"Lab_2021/A3_Injection/Blogs/{id}.html", {"blog": blog})
             new_blog = Blogs.objects.create(author = request.user, blog_id = id)
             new_blog.save() 
-            dirname = os.path.dirname(__file__)
-            filename = os.path.join(dirname, f"templates/Lab_2021/A3_Injection/Blogs/{id}.html")
-            file = open(filename, "w+") 
-            file.write(blog)
-            file.close()
             return redirect(f'blog/{id}')
     else:
         return redirect('login')
@@ -1007,20 +903,19 @@ def crypto_failure(request):
         return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure.html",{"success":False,"failure":False})
     else:
         redirect('login')
-
 def crypto_failure_lab(request):
     if request.user.is_authenticated:
         if request.method=="GET":
-            return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab.html")
+            return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab.html")
         elif request.method=="POST":
             username = request.POST["username"]
             password = request.POST["password"]
             try:
-                password = md5(password.encode()).hexdigest()
+                password = hashlib.scrypt(password.encode()).hex()
                 user = CF_user.objects.get(username=username,password=password)
-                return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab.html",{"user":user, "success":True,"failure":False})
+                return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab.html",{"user":user, "success":True,"failure":False})
             except:
-                return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab.html",{"success":False, "failure":True})
+                return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab.html",{"success":False, "failure":True})
     else :
         return redirect('login')
 
@@ -1037,27 +932,27 @@ def crypto_failure_lab2(request):
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"user":user, "success":True,"failure":False})
             except:
                 return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"success":False, "failure":True})
-
-# based on CWE-319
 def crypto_failure_lab3(request):
     if request.user.is_authenticated:
         if request.method == "GET":
-            try :
-                cookie = request.COOKIES["cookie"]
+            try:
+                cookie = request.COOKIES.get("cookie", None)
+                if cookie is None:
+                    return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html",{"success":False,"failure":False})
                 print(cookie)
                 expire = cookie.split('|')[1]
                 expire = datetime.datetime.fromisoformat(expire)
                 now = datetime.datetime.now()
-                if now > expire :
-                    return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":False,"failure":False})
+                if now > expire:
+                    return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html",{"success":False,"failure":False})
                 elif cookie.split('|')[0] == 'admin':
-                    return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":True,"failure":False,"admin":True})
+                    return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html",{"success":True,"failure":False,"admin":True})
                 else:
-                    return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":True,"failure":False,"admin":False})
+                    return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html",{"success":True,"failure":False,"admin":False})
             except Exception as e:
                 print(e)
                 pass
-            return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html")
+            return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html")
         if request.method == "POST":
             username = request.POST["username"]
             password = request.POST["password"]
@@ -1065,21 +960,20 @@ def crypto_failure_lab3(request):
                 if username == "User" and password == "P@$$w0rd":
                     expire = datetime.datetime.now() + datetime.timedelta(minutes=60)
                     cookie = f"{username}|{expire}"
-                    response = render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":True, "failure":False , "admin":False})
-                    response.set_cookie("cookie", cookie)
+                    response = render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html",{"success":True, "failure":False , "admin":False})
+                    response.set_cookie("cookie", cookie, secure=True, httponly=True, samesite='Lax')
                     response.status_code = 200
                     return response
                 else:
-                    response = render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html",{"success":False, "failure":True})
+                    response = render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html",{"success":False, "failure":True})
                     response.set_cookie("cookie", None)
                     return response
             except:
-                return render(request,"Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html",{"success":False, "failure":True})
+                return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab2.html",{"success":False, "failure":True})
+    return render(request,"Lab_2021/A2_Crypto_failure/crypto_failure_lab3.html")
 
 #-----------------------------------------------SECURITY MISCONFIGURATION -------------------
 from pygoat.settings import SECRET_COOKIE_KEY
-
-
 def sec_misconfig_lab3(request):
     if not request.user.is_authenticated:
         return redirect('login')
@@ -1092,14 +986,14 @@ def sec_misconfig_lab3(request):
             return render(request,"Lab/sec_mis/sec_mis_lab3.html", {"admin":False} )
     except:
         payload = {
-            'user':'not_admin',
-            'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=60),
-            'iat': datetime.datetime.utcnow(),
+             'user':'not_admin',
+             'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=60),
+             'iat': datetime.datetime.utcnow(),
         }
 
         cookie = jwt.encode(payload, SECRET_COOKIE_KEY, algorithm='HS256')
         response = render(request,"Lab/sec_mis/sec_mis_lab3.html", {"admin":False} )
-        response.set_cookie(key = "auth_cookie", value = cookie)
+        response.set_cookie(key = "auth_cookie", value = cookie, secure=True, httponly=True, samesite='Lax')
         return response
 
 # - ------------------------Identification and Authentication Failures--------------------------------
@@ -1159,43 +1053,35 @@ def auth_failure_lab2(request):
     "User3":{"userid":"3", "username":"User3", "password": "5a91a66f0c86b5435fe748706b99c17e6e54a17e03c2a3ef8d0dfa918db41cf6"},
     "User4":{"userid":"4", "username":"User4", "password": "6046bc3337728a60967a151ee584e4fd7c53740a49485ebdc38cac42a255f266"}
 }
-
-# USER_A7_LAB3 = {
-#     "User1":{"userid":"1", "username":"User1", "password": "Hash1"},
-#     "User2":{"userid":"2", "username":"User2", "password": "Hash2"},
-#     "User3":{"userid":"3", "username":"User3", "password": "Hash3"},
-#     "User4":{"userid":"4", "username":"User4", "password": "Hash4"}
-# }
-
 @authentication_decorator
-@csrf_exempt
 def auth_failure_lab3(request):
-    if request.method == "GET":
-        try:
-            cookie = request.COOKIES["session_id"]
-            session = AF_session_id.objects.get(session_id=cookie)
-            if session :
-                return render(request,"Lab_2021/A7_auth_failure/lab3.html", {"username":session.user,"success":True})
-        except:
-            pass
-        return render(request, "Lab_2021/A7_auth_failure/lab3.html")
-    elif request.method == "POST":
-        token = str(uuid.uuid4())
-        try:
-            username = request.POST["username"]
-            password = request.POST["password"]
-            password = hashlib.sha256(password.encode()).hexdigest()
-        except:
-            response = render(request, "Lab_2021/A7_auth_failure/lab3.html")
-            response.set_cookie("session_id", None)
-            return response
-
-        if USER_A7_LAB3[username]['password'] == password:
-            session_data = AF_session_id.objects.create(session_id=token, user=USER_A7_LAB3[username]['username'])
-            session_data.save()
-            response = render(request, "Lab_2021/A7_auth_failure/lab3.html", {"success":True, "failure":False, "username":username})
-            response.set_cookie("session_id", token)
-            return response
+    if request.method == "GET": 
+        try: 
+            cookie = request.COOKIES["session_id"] 
+            session = AF_session_id.objects.get(session_id=cookie) 
+            if session: 
+                return render(request,"Lab_2021/A7_auth_failure/lab3.html", {"username":session.user,"success":True}) 
+        except: 
+            pass 
+        return render(request, "Lab_2021/A7_auth_failure/lab3.html") 
+    elif request.method == "POST": 
+        token = str(uuid.uuid4()) 
+        try: 
+            username = request.POST["username"] 
+            password = request.POST["password"] 
+            password = hashlib.sha256(password.encode()).hexdigest() 
+        except: 
+            response = render(request, "Lab_2021/A7_auth_failure/lab3.html") 
+            response.set_cookie("session_id", None) 
+            return response 
+
+        if USER_A7_LAB3[username]['password'] == password: 
+            session_data = AF_session_id.objects.create(session_id=token, user=USER_A7_LAB3[username]['username']) 
+            session_data.save() 
+            response = render(request, "Lab_2021/A7_auth_failure/lab3.html", {"success":True, "failure":False, "username":username}) 
+            response.set_cookie("session_id", token, secure=True) 
+            return response 
+
 
 #-- coding playground for lab2
 @authentication_decorator