Cookie Chaos: How to Bypass __host and __secure Cookie Prefixes
Posted4 months agoActive4 months ago
portswigger.netTechstory
calmmixed
Debate
20/100
Web SecurityCookie SecurityDjango Framework
Key topics
Web Security
Cookie Security
Django Framework
A researcher discovered a way to bypass __Host and __Secure cookie prefixes, with a disappointing response from Django regarding fixing the issue.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
8h
Peak period
1
7-8h
Avg / period
1
Key moments
- 01Story posted
Sep 3, 2025 at 11:13 AM EDT
4 months ago
Step 01 - 02First comment
Sep 3, 2025 at 6:47 PM EDT
8h after posting
Step 02 - 03Peak activity
1 comments in 7-8h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 3, 2025 at 6:47 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Discussion (1 comments)
Showing 1 comments
nomoreofthat
4 months ago
That’s clever! Disappointing response from Django if that means they’re not going to fix it… I could understand it being outside the scope of their official vulnerability classification/process/whatever, but it’s still a clear correctness bug.
View full discussion on Hacker News
ID: 45116767Type: storyLast synced: 11/17/2025, 10:09:15 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.