Re: Regarding httponly cookies

2010-03-17 Thread Dennis Kaarsemaker 
On wo, 2010-03-17 at 11:10 -0700, Yuchen Zhou wrote:

> So does this ticket mean django now supports httponly cookies? And is
> it by default httponly?
> Or the application administrator has to turn it on?

The discussion on http://code.djangoproject.com/ticket/3304 indicates
that neither python nor django at the moment support it and that django
will need to implement its own cookie handling if it wants to continue
supporting python versions as old as 2.4.

There are patches attached to the issue, but none of those have been
applied to django yet.

-- 
Dennis K.

The universe tends towards maximum irony. Don't push it.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Regarding httponly cookies

2010-03-17 Thread Yuchen Zhou 
Hi,

Thanks for your response!

So does this ticket mean django now supports httponly cookies? And is
it by default httponly?
Or the application administrator has to turn it on?

Best,

On Mar 17, 11:49 am, Tom Evans  wrote:
> On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhou  wrote:
> > Hi,
>
> > I'm a security researcher at the University of Virginia I have been
> > looking into the use and adoption of http-only cookies. My advisor is
> > professor David Evans.
>
> > We were surprised to discover that Django does not explicitly supports
> > httponly cookie field. I have searched for some solution but they all
> > require patching to python or Django. I think if the client side JS
> > does not need to access cookie value, which is true at least for
> > authentication tokens, we should set that cookie httponly in order to
> > prevent cookie stealing against cross-site scripting attacks.
>
> > Is there any other good reason that django is not supporting this
> > feature? Are we missing something here?
>
> > Thank you very much.
>
> > Best,
>
> > --Yuchen
> > yz...@virginia.edu
> > Graduate student at Computer Science Dept.
> > University of Virginia
>
> Seehttp://code.djangoproject.com/ticket/3304
>
> Cheers
>
> Tom- Hide quoted text -
>
> - Show quoted text -

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Re: Regarding httponly cookies

2010-03-17 Thread Tom Evans 
On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhou  wrote:
> Hi,
>
> I'm a security researcher at the University of Virginia I have been
> looking into the use and adoption of http-only cookies. My advisor is
> professor David Evans.
>
> We were surprised to discover that Django does not explicitly supports
> httponly cookie field. I have searched for some solution but they all
> require patching to python or Django. I think if the client side JS
> does not need to access cookie value, which is true at least for
> authentication tokens, we should set that cookie httponly in order to
> prevent cookie stealing against cross-site scripting attacks.
>
> Is there any other good reason that django is not supporting this
> feature? Are we missing something here?
>
> Thank you very much.
>
> Best,
>
> --Yuchen
> yz...@virginia.edu
> Graduate student at Computer Science Dept.
> University of Virginia
>

See http://code.djangoproject.com/ticket/3304

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Regarding httponly cookies

2010-03-17 Thread Yuchen Zhou 
Hi,

I'm a security researcher at the University of Virginia I have been
looking into the use and adoption of http-only cookies. My advisor is
professor David Evans.

We were surprised to discover that Django does not explicitly supports
httponly cookie field. I have searched for some solution but they all
require patching to python or Django. I think if the client side JS
does not need to access cookie value, which is true at least for
authentication tokens, we should set that cookie httponly in order to
prevent cookie stealing against cross-site scripting attacks.

Is there any other good reason that django is not supporting this
feature? Are we missing something here?

Thank you very much.

Best,

--Yuchen
yz...@virginia.edu
Graduate student at Computer Science Dept.
University of Virginia

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to django-develop...@googlegroups.com.
To unsubscribe from this group, send email to 
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.