Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make Django sessionId cookie as secure

This is my current sessionId cookie attributes:

Set-Cookie: sessionid=3jdpjxgepk49vrnhbabdvju3r80ci581; expires=Mon, 06-Aug-2018 12:40:14 GMT; HttpOnly; Max-Age=1209600; Path=/

I want sessionId to be secure with the secure attribute:

Set-Cookie: sessionid=3jdpjxgepk49vrnhbabdvju3r80ci581; expires=Mon, 06-Aug-2018 12:40:14 GMT; HttpOnly,secure; Max-Age=1209600; Path=/

I have tried adding the following attribute in settings.py:

SESSION_COOKIE_SECURE = True

However, I am still not getting the secure attribute in sessionId. Any alternative solution for this?

like image 738
user3415910 Avatar asked Jul 23 '18 10:07

user3415910


People also ask

Are cookie based sessions secure?

The cookie allows the server to identify the user and retrieve the user session from the session database, so that the user session is maintained. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits over alternatives.

Which of the following functions are used to generate cookies via Django?

Django provides built-in methods to set and fetch cookie. The set_cookie() method is used to set a cookie and get() method is used to get the cookie. The request. COOKIES['key'] array can also be used to get cookie values.

What is session and cookies in Django?

Django provides a session framework that lets you store and retrieve data on a per-site-visitor basis. Django abstracts the process of sending and receiving cookies, by placing a session ID cookie on the client side, and storing all the related data on the server side.


1 Answers

  1. Verify if your settings file is properly configured

  2. Set the SESSION_COOKIE_SECURE = True in the settings file

  3. You can test the changes by running your Django application in the interactive Shell to check if the variable got changed:

from django.conf import settings
settings.SESSION_COOKIE_SECURE # it should be printing "True"

Important: If you are running the application over HTTP instead of HTTPS (which is usually the case on our local machines) even with that variable set to true the session cookie will not get encrypted. It just works over HTTPS connections.

like image 80
fabriciorissetto Avatar answered Sep 18 '22 16:09

fabriciorissetto