Menu
I read Set "secure" attribute for Flask cookies, but it's for setting secure cookies, but I'm trying to set HTTPONLY cookies. They both are kind-of-secure cookies, but differ in specs (read more).
The cookie needs to be protected because it is about users' logging in information.
339
Flask provides a configuration value SESSION_COOKIE_HTTPONLY which controls whether cookies are set to be http only. By default, however, it is set to True , so unless it's explicitly set to False , cookies will be http only.
In Flask, cookies are set on response object. Use make_response() function to get response object from return value of a view function. After that, use the set_cookie() function of response object to store a cookie. Reading back a cookie is easy.
Flask cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response. set_cookie(...). If these parameters are not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.
Flask provides a configuration value SESSION_COOKIE_HTTPONLY which controls whether cookies are set to be http only. By default, however, it is set to True, so unless it's explicitly set to False, cookies will be http only.
193
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
