Session Cookie HTTPOnly flag not set on response from logout (Django)
--------------------------------------------------
Rise to the top 3% as a developer or hire one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------
Music by Eric Matyas
https://www.soundimage.org
Track title: Light Drops
--
Chapters
00:00 Session Cookie Httponly Flag Not Set On Response From Logout (Django)
00:40 Accepted Answer Score 4
01:19 Thank you
--
Full question
https://stackoverflow.com/questions/3378...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #django #security #httponly
#avk47
Rise to the top 3% as a developer or hire one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------
Music by Eric Matyas
https://www.soundimage.org
Track title: Light Drops
--
Chapters
00:00 Session Cookie Httponly Flag Not Set On Response From Logout (Django)
00:40 Accepted Answer Score 4
01:19 Thank you
--
Full question
https://stackoverflow.com/questions/3378...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #django #security #httponly
#avk47
ACCEPTED ANSWER
Score 4
On logout, the server sends back a session cookie update with an empty value to show that the cookie has been destroyed.
The HTTPOnly flag is set to prevent an XSS vulnerability from disclosing the secret session ID. When the cookie is "deleted" by setting it to an empty value, any sensitive data is removed from the cookie. An attacker doesn't have any use for an empty value, so it is not necessary to set the HTTPOnly flag.
On top of that, the expire date is set in the past, and the max-age is set to 0. The client will delete the cookie immediately, leaving any attacker with no chance to read the cookie through an XSS attack.