How to make Django sessionId cookie as secure

Question

This is my current sessionId cookie attributes:

Set-Cookie: sessionid=3jdpjxgepk49vrnhbabdvju3r80ci581; expires=Mon, 06-Aug-2018 12:40:14 GMT; HttpOnly; Max-Age=1209600; Path=/

I want sessionId to be secure with the secure attribute:

Set-Cookie: sessionid=3jdpjxgepk49vrnhbabdvju3r80ci581; expires=Mon, 06-Aug-2018 12:40:14 GMT; HttpOnly,secure; Max-Age=1209600; Path=/

I have tried adding the following attribute in settings.py:

SESSION_COOKIE_SECURE = True

However, I am still not getting the secure attribute in sessionId. Any alternative solution for this?

please, write more details what did you mean `it doesn't work for me`? — Brown Bear, Jul 23 '18 at 11:13
Hi Bear Brown - I have just add few more details. Could you help me with those details. — user3415910, Jul 23 '18 at 12:47
maybe the question help you https://stackoverflow.com/questions/10861784/django-csrf-cookie-httponly — Brown Bear, Jul 23 '18 at 13:10

fabriciorissetto · Answer 1 · 2020-03-22T20:21:05.273

13

Verify if your settings file is properly configured
Set the SESSION_COOKIE_SECURE = True in the settings file
You can test the changes by running your Django application in the interactive Shell to check if the variable got changed:

from django.conf import settings
settings.SESSION_COOKIE_SECURE # it should be printing "True"

Important: If you are running the application over HTTP instead of HTTPS (which is usually the case on our local machines) even with that variable set to true the session cookie will not get encrypted. It just works over HTTPS connections.

edited Mar 22 '20 at 20:21

answered Mar 19 '20 at 20:50

fabriciorissetto

9,475
5
65
73

3

We are on AWS behind a load balancer. The traffic to the load balancer is over HTTPS but from the load balancer to EC2 instances it's HTTP. I already have SESSION_COOKIE_SECURE = True but the PCI scan gave me the "insecure cookies" warning. I think the "Important" note part of your answer explains this. Any ideas about what can I do? @fabriciorissetto – gurel_kaynak Dec 28 '20 at 13:18
I deploy my local development server with HTTPS (with `runserver_plus` from the `django-extensions` package) for this exact reason: `./manage.py runserver_plus --cert-file cert.crt`. Browsers complain but it's a great sandbox to test in. – nicorellius Feb 10 '21 at 18:53
2

@gurel_kaynak I just found out about this. You should configure your reverse proxy or load balancer to add a header to the request, and set SECURE_PROXY_SSL_HEADER in Django to the same value. https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header – augustomen Feb 15 '22 at 19:01

How to make Django sessionId cookie as secure

1 Answers1

Linked