Add httponly to session cookie

1
2
3
4
5
6
7
from django.conf import settings

class cookie_httponly:
    def process_response(self, request, response):
        if response.cookies.has_key(settings.SESSION_COOKIE_NAME):
            response.cookies[settings.SESSION_COOKIE_NAME]['httponly'] = True
        return response

More like this

  1. Sessions and authentication without cookies by danfairs 5 years, 7 months ago
  2. Middleware for using HttpOnly session cookie (including monkey patching for support for Python <2.6) by chrj 3 years, 1 month ago
  3. urlquote() and urlencode() in one method by guettli 4 years, 7 months ago
  4. Cookieless Session Middleware by juliocarlos 4 years, 6 months ago
  5. Strip Google Analytics cookies for caching middleware purposes by nf 3 years, 7 months ago

Comments

Ciantic (on April 16, 2010):

+1.

You know it is a bit odd that Django has not adapted this the right way, that is by adding it to the Set-Cookie header in the first place.

If anyone else is interested about this see also the article about importance of this in Coding Horror, and the ticket #3304 in Django ticket system about the addition of HttpOnly.

#

arthur (on October 4, 2011):

Django 1.3 includes a SESSION_COOKIE_HTTPONLY setting.

#

(Forgotten your password?)