On Mon, Jan 4, 2010 at 4:53 PM, Luke Plant <[email protected]> wrote: > On Monday 04 January 2010 21:45:41 jcampbell1 wrote: > >> I am not that familiar with your framework, but I think a signed >> cookie should use http only cookies by default. There is no valid >> reason for a script to read a cookie that it can't verify. http >> only cookies significantly decrease the surface area of XSS >> attacks. > > I can think of various circumstances where it might be useful and > harmless. For example, if the signed cookie stored the user's login > name, and some client side javascript used the login name for some > convenience feature, like highlighting the login name wherever it > appeared on the page. > > To generalise, the issue of using HttpOnly cookies is orthogonal to > whether they are signed or not, because the value of the cookie can be > used in multiple ways, not all of which will depend on the value being > verified. > > Luke > > -- > "Love is like an hourglass, with the heart filling up as the brain > empties." > > Luke Plant || http://lukeplant.me.uk/ > > -- > > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > >
So, thinking out loud here, I know the DSF has a policy of hands of in the development of Django, but I was thinking (out loud) that perhaps it would be sensible for the DSF to hire someone to do a security audit of some of this stuff. I have 0 clue about the particulars of how anything like that works, but it was just a thought that occurred to me. Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Voltaire "The people's good is the highest law." -- Cicero "Code can always be simpler than you think, but never as simple as you want" -- Me -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
