I've set this variable in the settings file like this:
SESSION_COOKIE_HTTPONLY = True
but when I open the website with Google Chrome HttpOnly does not show up in set-cookie.
My webserver is Apache2.4, and the website is using Https protocol.
Asked
Active
Viewed 3,221 times
0
Navid777
- 3,591
- 8
- 41
- 69
1 Answers
1
I think what you are looking for is CSRF_COOKIE_HTTPONLY. Add it to your setting:
CSRF_COOKIE_HTTPONLY = True
PLease note that this will make sending AJAX requests a little harder. You will have to pull it from the page instead of getting it from the cookie.
Hope it helps!
Jahongir Rahmonov
- 13,083
- 10
- 47
- 91
-
Thanks. I added this and HttpOnly appeard on csrf. I'v also set HTTP_SESSION_SECURE, but ;secure also does not show up. – Navid777 Aug 30 '17 at 06:24
-
@Navid777 maybe you mean [CSRF_COOKIE_SECURE](https://docs.djangoproject.com/en/1.11/ref/settings/#csrf-cookie-secure)? – Jahongir Rahmonov Aug 30 '17 at 06:29
-
I want to set ;HttpOnly and ;Secure on all cookies, not only on csrf. what should I do? – Navid777 Aug 30 '17 at 06:38
-
@Navid777 try adding `SESSION_COOKIE_PATH = '/;HttpOnly'` as well – Jahongir Rahmonov Aug 30 '17 at 06:43