SESSION_COOKIE_HTTPONLY = True在Django中不起作用:
[英]SESSION_COOKIE_HTTPONLY = True not working in Django:
问题描述
I have set the following code in my settings.py : 
我在settings.py设置了以下代码:
SESSION_COOKIE_HTTPONLY = True
even though the docs say this is default. 即使文档说这是默认设置。
Then I use ./manage.py runserver and run OWASP Zap scanner on the site. 然后,我使用./manage.py runserver并在站点上运行OWASP Zap扫描程序。 But OWASP zap says that the cookie was set without the HttpOnly flag: 但是OWASP zap表示cookie是在没有HttpOnly标志的情况下设置的:
I also have this problem when I server the site with gunicorn and nginx . 当我用gunicorn和nginx服务器站点时,我也遇到这个问题。 How can I get this flag set? 如何设置此标志?
Using django 1.8 ; 使用django 1.8 ; the page accounts/login is managed by django-registration-redux , if that is relevant. 页面accounts/login由django-registration-redux管理(如果相关)。
1 个解决方案
解决方案1
3 已采纳 2015-08-13 16:13:55
The cookie you have highlighted in the screenshot is not the session cookie, it's the csrf cookie. 您在屏幕截图中突出显示的cookie不是会话cookie,而是csrf cookie。 There is a separate setting CSRF_COOKIE_HTTPONLY for this cookie. 此cookie有单独的设置CSRF_COOKIE_HTTPONLY 。 Unlike SESSION_COOKIE_HTTPONLY , CSRF_COOKIE_HTTPONLY defaults to False , so you need to add it in your settings. 与SESSION_COOKIE_HTTPONLY不同, CSRF_COOKIE_HTTPONLY默认为False ,因此您需要在设置中添加它。
CSRF_COOKIE_HTTPONLY = True
Note that setting the csrf cookie to http only will make it trickier to do ajax post requests. 请注意,将csrf cookie设置为仅http将使执行ajax发布请求更加棘手。 Instead of using the cookie, your javascript will have to pull the csrf token from the page instead. 而不是使用cookie,您的Javascript将不得不从页面中提取csrf令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.