如何使Django sessionId cookie安全 [英] How to make Django sessionId cookie as secure

问题描述

这是我当前的 sessionId cookie属性:

This is my current sessionId cookie attributes:

Set-Cookie:sessionid = 3jdpjxgepk49vrnhbabdvju3r80ci581;expires =星期一，2018年8月6日12:40:14 GMT;HttpOnly;年龄上限= 1209600；路径=/

Set-Cookie: sessionid=3jdpjxgepk49vrnhbabdvju3r80ci581; expires=Mon, 06-Aug-2018 12:40:14 GMT; HttpOnly; Max-Age=1209600; Path=/

我希望使用 secure 属性保护 sessionId :

Set-Cookie:sessionid = 3jdpjxgepk49vrnhbabdvju3r80ci581;expires =星期一，2018年8月6日12:40:14 GMT;HttpOnly，安全；年龄上限= 1209600；路径=/

Set-Cookie: sessionid=3jdpjxgepk49vrnhbabdvju3r80ci581; expires=Mon, 06-Aug-2018 12:40:14 GMT; HttpOnly,secure; Max-Age=1209600; Path=/

我尝试在 settings.py 中添加以下属性:

I have tried adding the following attribute in settings.py:

SESSION_COOKIE_SECURE = True

但是，我仍然没有在 sessionId 中获得 secure 属性.还有其他解决方案吗?

However, I am still not getting the secure attribute in sessionId. Any alternative solution for this?

推荐答案

1. 验证您的设置文件是否已正确配置

在设置文件中设置 SESSION_COOKIE_SECURE = True

您可以通过在交互式Shell中运行Django应用程序来测试更改检查变量是否已更改:

You can test the changes by running your Django application in the interactive Shell to check if the variable got changed:

django.conf导入设置中的

from django.conf import settings
settings.SESSION_COOKIE_SECURE # it should be printing "True"

重要提示:如果您通过HTTP而不是HTTPS运行应用程序(在我们的本地计算机上通常是这种情况)，即使该变量设置为true，会话cookie也不会被加密.它仅通过HTTPS连接工作.

Important: If you are running the application over HTTP instead of HTTPS (which is usually the case on our local machines) even with that variable set to true the session cookie will not get encrypted. It just works over HTTPS connections.

这篇关于如何使Django sessionId cookie安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！