0
0
Djangoframework~10 mins

HTTPS and secure cookies in Django - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - HTTPS and secure cookies
User sends HTTP request
Server checks if HTTPS
No
Redirect to HTTPS URL
User sends HTTPS request
Server sets secure cookie with Secure flag
Browser stores cookie only on HTTPS
Subsequent requests send secure cookie only over HTTPS
Server reads secure cookie safely
This flow shows how a user is redirected to HTTPS and how the server sets cookies with the Secure flag so browsers only send them over HTTPS.
Execution Sample
Django
# Redirect HTTP to HTTPS
if not request.is_secure():
    return redirect(request.build_absolute_uri().replace('http://', 'https://'))

response.set_cookie('sessionid', 'abc123', secure=True)
This Django code sets a secure cookie and redirects HTTP requests to HTTPS.
Execution Table
StepActionConditionResultCookie Sent
1User sends HTTP requestRequest is HTTPRedirect to HTTPS URLNo
2User sends HTTPS requestRequest is HTTPSProcess requestNo (first request)
3Server sets cookieSet cookie with Secure=TrueCookie stored in browser with Secure flagNo (set in response)
4User sends next HTTPS requestRequest is HTTPSSend cookie with requestYes (cookie sent)
5User sends HTTP request againRequest is HTTPRedirect to HTTPS URLNo (cookie not sent over HTTP)
💡 Execution stops because user uses HTTPS and cookie is sent only over HTTPS, ensuring security.
Variable Tracker
VariableStartAfter Step 3After Step 4After Step 5
request.is_secure()False (HTTP)True (HTTPS)True (HTTPS)False (HTTP)
cookie 'sessionid'Not setSet with Secure flagSent with HTTPS requestNot sent with HTTP request
Key Moments - 3 Insights
Why doesn't the browser send the secure cookie over HTTP?
Because the cookie has the Secure flag set (see execution_table step 5), browsers only send it over HTTPS connections.
What happens if the user tries to access the site with HTTP?
The server redirects the user to HTTPS (execution_table step 1 and 5), ensuring all communication is secure.
When is the secure cookie actually stored in the browser?
After the server sets it in the HTTPS response (execution_table step 3), the browser stores it with the Secure flag.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step is the secure cookie first sent by the browser?
AStep 3
BStep 4
CStep 1
DStep 5
💡 Hint
Check the 'Cookie Sent' column in the execution_table for when the cookie is sent.
According to variable_tracker, what is the value of request.is_secure() after step 3?
AFalse
BUndefined
CTrue
DNone
💡 Hint
Look at the 'request.is_secure()' row and the 'After Step 3' column in variable_tracker.
If the Secure flag was not set on the cookie, what would change in the execution table?
ACookie would be sent over HTTP requests too
BUser would not be redirected to HTTPS
CCookie would never be stored
DServer would reject the cookie
💡 Hint
Think about the Secure flag's role in restricting cookie sending (see key_moments about step 5).
Concept Snapshot
HTTPS and secure cookies in Django:
- Redirect HTTP requests to HTTPS for security
- Set cookies with secure=True to restrict sending to HTTPS only
- Browsers send secure cookies only over HTTPS connections
- Secure cookies prevent exposure over insecure HTTP
- Use request.is_secure() to detect HTTPS in Django views
Full Transcript
This visual trace shows how HTTPS and secure cookies work in Django. When a user sends an HTTP request, the server redirects them to HTTPS. Once on HTTPS, the server sets a cookie with the Secure flag. The browser stores this cookie but only sends it back on HTTPS requests, never on HTTP. This protects the cookie from being sent over insecure connections. The variable tracker shows how request.is_secure() changes from False to True when switching to HTTPS, and how the cookie is stored and sent only over HTTPS. Key moments clarify why the Secure flag matters and how redirects enforce HTTPS. The quiz tests understanding of when cookies are sent and the role of the Secure flag.