#3304: [patch] Support "httponly"-attribute in session cookie.
-------------------------------------+--------------------------------------
Reporter: arvin | Owner: nobody
Status: new | Milestone:
Component: Core framework | Version: SVN
Resolution: | Keywords: session security
Stage: Accepted | Has_patch: 1
Needs_docs: 0 | Needs_tests: 1
Needs_better_patch: 0 |
-------------------------------------+--------------------------------------
Comment (by lukeplant):
Replying to [comment:29 cyounkins]:
> Does Django have a vulnerability? No. Is Django empowering users to
secure their apps? No. And I think it should.
We absolutely agree, and have consistently sought to do just that - we
have excellent out-of-the-box behaviour and APIs for all kinds of security
issues. Russell's comment was about whether this feature should be
backported to our bug fix branch or not. The answer is it shouldn't, as
it is a new feature, and it is not a "security issue" in the sense that is
relevant for our policy regarding backporting security fixes. But we do
want to add it to trunk, and would do so much quicker if a patch appeared
that addressed the current deficiencies - namely the need for tests. The
patch also needs to be updated for [12282] AFAICS.
--
Ticket URL: <http://code.djangoproject.com/ticket/3304#comment:30>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
