Menu
I have a Django application and am configuring some security settings. One of the settings is the SESSION_COOKIE_HTTPONLY flag. I set this flag to True.
On session creation (login) I can see the session HTTPOnly flag set if I inspect cookies. On logout, the server sends back a session cookie update with an empty value to show that the cookie has been destroyed. This empty cookie is not sent back with the httpOnly flag set.
My question: Is this a security concern? Is there a way to force Django to set this flag on logout? Or is this just expected behavior, and is not a security concern, since the session cookie that is returned is blank?
457
On logout, the server sends back a session cookie update with an empty value to show that the cookie has been destroyed.
The HTTPOnly flag is set to prevent an XSS vulnerability from disclosing the secret session ID. When the cookie is "deleted" by setting it to an empty value, any sensitive data is removed from the cookie. An attacker doesn't have any use for an empty value, so it is not necessary to set the HTTPOnly flag.
On top of that, the expire date is set in the past, and the max-age is set to 0. The client will delete the cookie immediately, leaving any attacker with no chance to read the cookie through an XSS attack.
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
