#3304: [patch] Support "httponly"-attribute in session cookie.
---------------------+------------------------------------------------------
Reporter: arvin | Owner: adrian
Status: new | Component: Core framework
Version: SVN | Resolution:
Keywords: | Stage: Design decision needed
Has_patch: 1 | Needs_docs: 1
Needs_tests: 1 | Needs_better_patch: 1
---------------------+------------------------------------------------------
Comment (by arvin):
Replying to [comment:5 [EMAIL PROTECTED]:
> Hmm, we probably can't use a patch that requires a patched python. Any
different solution?
Surely Python itself has to be extended. In Django we can check
sys.hexversion and write that
the feature only works with e.g. python 2.6 or higher.
> Also, could you point me to where the RFC is talking about 'httponly'? I
couldn't find it at all. According to the specs from the Microsoft site,
it makes the cookie unavailable to script languages.
The RFC doesn't talk about 'httponly'. Microsoft introduced it later on.
The attribute makes the cookie unavailable to scripts in the browser, e.g.
Javascript injected
through XSS.
--
Ticket URL: <http://code.djangoproject.com/ticket/3304#comment:7>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Django
updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
