6

I log into django admin. When I open firebug JS console and try to print cookies with document.cookie I only get csrftoken cookie. But when I open Firefox preferences > Privacy > Delete cookie... then I can see sessionid cookie.

How to get that on client side?

Lee Taylor
  • 7,761
  • 16
  • 33
  • 49
Memke
  • 684
  • 1
  • 7
  • 24

1 Answers1

12

You cannot access the session cookie because it is by default set to HTTPOnly.(You can see it using Firebug(Resources->Cookies->sessionid's HTTP column is checked))

Copying from the docs:

SESSION_COOKIE_HTTPONLY
Default: True

Whether to use HTTPOnly flag on the session cookie. 
If this is set to True, client-side JavaScript will not to 
be able to access the session cookie.

You can set: SESSION_COOKIE_HTTPONLY = False in your settings.py if you really want to have access to it from client side code. Nevertheless it not a recommended practice.

thikonom
  • 4,219
  • 3
  • 26
  • 30
  • 4
    Just a note that the reason that it's not recommended practice is that if your site is somehow susceptible to XSS, then an attacker could use this to steal session IDs. This of course isn't possible if the session ID isn't exposed to JS land. – Michael Mior Sep 15 '12 at 10:55
  • Another note from the docs: "There’s not much excuse for leaving this off, either: if your code depends on reading session cookies from JavaScript, you’re probably doing it wrong." – cs01 Nov 04 '16 at 17:40