Insecure session cookies enable session hijacking
criticalsecurityUpdated Mar 2, 2026(via Exa)
Technologies:
How to detect:
SESSION_COOKIE_SECURE, SESSION_COOKIE_HTTPONLY, or CSRF_COOKIE_SECURE flags are not enabled, allowing cookies to be transmitted over HTTP or accessed by JavaScript. This makes session hijacking and token theft significantly easier.
Recommended action:
Enable all cookie security flags in production: SESSION_COOKIE_SECURE = True, SESSION_COOKIE_HTTPONLY = True, SESSION_COOKIE_SAMESITE = "Lax", CSRF_COOKIE_SECURE = True, CSRF_COOKIE_SAMESITE = "Lax". Verify HTTPS is properly configured first.