Django snippets: Add httponly to session cookie

Add httponly to session cookie

from django.conf import settings

class cookie_httponly:
    def process_response(self, request, response):
        if response.cookies.has_key(settings.SESSION_COOKIE_NAME):
            response.cookies[settings.SESSION_COOKIE_NAME]['httponly'] = True
        return response

Middleware to set "sessionid" (ou your session cookie) with httponly (see "Django bug report"). To work, you need put it before "SessionMiddleware"

Author:: rodolfo.3
Posted:: April 12, 2010
Language:: Python
Django Version:: 1.1
Tags:: httponly cookie security
Score:: 1 (after 1 ratings)

Tools

Comments

Ciantic (on April 16, 2010):

+1.

You know it is a bit odd that Django has not adapted this the right way, that is by adding it to the Set-Cookie header in the first place.

If anyone else is interested about this see also the article about importance of this in Coding Horror, and the ticket #3304 in Django ticket system about the addition of HttpOnly.