Logo of a fox dressed as a Doctor

Django Doctor

Verified by GitHub

Session cookie is vulnerable to packet sniffing attack

Your website is vulnerable because the SESSION_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your users' session cookies on HTTP connections.

SessionMiddleware marks the session cookie as secure when SESSION_COOKIE_SECURE = True, to make the browser only send cookie over secure HTTPS connection.

Cookies sent over insecure HTTP are unencrypted, so hackers can steal the session cookie using a packet sniffer - allowing them to effectively copy and paste it into their browser and be logged in as the user.

So in practice, do this


import os

MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]

# allow it to be turned off in local dev env.
SESSION_COOKIE_SECURE = os.getenv('SESSION_COOKIE_SECURE', True)

Instead of this


MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]
Are you affected by this? Audit your codebase in seconds to find out.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-session-cookie-secure in your pyproject.toml file.

Read more about configuring Django Doctor.

Further reading