Session Cookie HTTPOnly flag not set on response from logout (Django)
Become part of the top 3% of the developers by applying to Toptal https://topt.al/25cXVn
--
Music by Eric Matyas
https://www.soundimage.org
Track title: Over a Mysterious Island
--
Chapters
00:00 Question
01:01 Accepted answer (Score 3)
01:46 Thank you
--
Full question
https://stackoverflow.com/questions/3378...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #django #security #httponly
#avk47
--
Music by Eric Matyas
https://www.soundimage.org
Track title: Over a Mysterious Island
--
Chapters
00:00 Question
01:01 Accepted answer (Score 3)
01:46 Thank you
--
Full question
https://stackoverflow.com/questions/3378...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #django #security #httponly
#avk47
ACCEPTED ANSWER
Score 4
On logout, the server sends back a session cookie update with an empty value to show that the cookie has been destroyed.
The HTTPOnly flag is set to prevent an XSS vulnerability from disclosing the secret session ID. When the cookie is "deleted" by setting it to an empty value, any sensitive data is removed from the cookie. An attacker doesn't have any use for an empty value, so it is not necessary to set the HTTPOnly flag.
On top of that, the expire date is set in the past, and the max-age is set to 0. The client will delete the cookie immediately, leaving any attacker with no chance to read the cookie through an XSS attack.