On Monday 04 January 2010 21:45:41 jcampbell1 wrote: > I am not that familiar with your framework, but I think a signed > cookie should use http only cookies by default. There is no valid > reason for a script to read a cookie that it can't verify. http > only cookies significantly decrease the surface area of XSS > attacks.
I can think of various circumstances where it might be useful and harmless. For example, if the signed cookie stored the user's login name, and some client side javascript used the login name for some convenience feature, like highlighting the login name wherever it appeared on the page. To generalise, the issue of using HttpOnly cookies is orthogonal to whether they are signed or not, because the value of the cookie can be used in multiple ways, not all of which will depend on the value being verified. Luke -- "Love is like an hourglass, with the heart filling up as the brain empties." Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
