#16847: Session Cookies should default to HttpOnly = True
-------------------------------------+-------------------------------------
Reporter: PaulM | Owner: nobody
Type: | Status: new
Cleanup/optimization | Component:
Milestone: 1.4 | contrib.sessions
Version: 1.3 | Severity: Normal
Keywords: | Triage Stage:
Has patch: 0 | Unreviewed
Needs tests: 0 | Needs documentation: 0
Easy pickings: 0 | Patch needs improvement: 0
| UI/UX: 0
-------------------------------------+-------------------------------------
The Session cookies that Django sets should default to `HttpOnly = True`.
While this does not mitigate every form of session and cookie theft, it
would improve security significantly. This is especially true in the cases
where XSS is possible, despite our best efforts to stop it.
In 1.3, we added support for `HttpOnly` as the fix for #3304. The default
setting then was False. For 1.4 it should be True. At this time, all major
browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).
Applications which are directly accessing the session cookie with AJAX are
probably doing it wrong. There's no legitimate reason this cookie needs to
be available to scripts. If we make it unavailable to scripts, we make
actually exploiting an XSS bug significantly more difficult.
--
Ticket URL: <https://code.djangoproject.com/ticket/16847>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
