Session Cookie HTTPOnly flag not set on response from logout (Django)

About

Asked 18/11, 2015 at 17:39 Answered 18/11, 2015 at 18:20

I have a Django application and am configuring some security settings. One of the settings is the SESSION_COOKIE_HTTPONLY flag. I set this flag to True.

On session creation (login) I can see the session HTTPOnly flag set if I inspect cookies. On logout, the server sends back a session cookie update with an empty value to show that the cookie has been destroyed. This empty cookie is not sent back with the httpOnly flag set.

My question: Is this a security concern? Is there a way to force Django to set this flag on logout? Or is this just expected behavior, and is not a security concern, since the session cookie that is returned is blank?

Microtone answered 18/11, 2015 at 17:39 Comment(0)

On logout, the server sends back a session cookie update with an empty value to show that the cookie has been destroyed.

The HTTPOnly flag is set to prevent an XSS vulnerability from disclosing the secret session ID. When the cookie is "deleted" by setting it to an empty value, any sensitive data is removed from the cookie. An attacker doesn't have any use for an empty value, so it is not necessary to set the HTTPOnly flag.

On top of that, the expire date is set in the past, and the max-age is set to 0. The client will delete the cookie immediately, leaving any attacker with no chance to read the cookie through an XSS attack.

Booking answered 18/11, 2015 at 18:20 Comment(1)

Cool. I figured this was the case. Thanks for confirming! – Microtone 18/11, 2015 at 18:50

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags