Re: Regarding httponly cookies
On wo, 2010-03-17 at 11:10 -0700, Yuchen Zhou wrote: > So does this ticket mean django now supports httponly cookies? And is > it by default httponly? > Or the application administrator has to turn it on? The discussion on http://code.djangoproject.com/ticket/3304 indicates that neither python nor django at the moment support it and that django will need to implement its own cookie handling if it wants to continue supporting python versions as old as 2.4. There are patches attached to the issue, but none of those have been applied to django yet. -- Dennis K. The universe tends towards maximum irony. Don't push it. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Regarding httponly cookies
Hi, Thanks for your response! So does this ticket mean django now supports httponly cookies? And is it by default httponly? Or the application administrator has to turn it on? Best, On Mar 17, 11:49 am, Tom Evanswrote: > On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhou wrote: > > Hi, > > > I'm a security researcher at the University of Virginia I have been > > looking into the use and adoption of http-only cookies. My advisor is > > professor David Evans. > > > We were surprised to discover that Django does not explicitly supports > > httponly cookie field. I have searched for some solution but they all > > require patching to python or Django. I think if the client side JS > > does not need to access cookie value, which is true at least for > > authentication tokens, we should set that cookie httponly in order to > > prevent cookie stealing against cross-site scripting attacks. > > > Is there any other good reason that django is not supporting this > > feature? Are we missing something here? > > > Thank you very much. > > > Best, > > > --Yuchen > > yz...@virginia.edu > > Graduate student at Computer Science Dept. > > University of Virginia > > Seehttp://code.djangoproject.com/ticket/3304 > > Cheers > > Tom- Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Re: Regarding httponly cookies
On Wed, Mar 17, 2010 at 3:42 PM, Yuchen Zhouwrote: > Hi, > > I'm a security researcher at the University of Virginia I have been > looking into the use and adoption of http-only cookies. My advisor is > professor David Evans. > > We were surprised to discover that Django does not explicitly supports > httponly cookie field. I have searched for some solution but they all > require patching to python or Django. I think if the client side JS > does not need to access cookie value, which is true at least for > authentication tokens, we should set that cookie httponly in order to > prevent cookie stealing against cross-site scripting attacks. > > Is there any other good reason that django is not supporting this > feature? Are we missing something here? > > Thank you very much. > > Best, > > --Yuchen > yz...@virginia.edu > Graduate student at Computer Science Dept. > University of Virginia > See http://code.djangoproject.com/ticket/3304 Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
Regarding httponly cookies
Hi, I'm a security researcher at the University of Virginia I have been looking into the use and adoption of http-only cookies. My advisor is professor David Evans. We were surprised to discover that Django does not explicitly supports httponly cookie field. I have searched for some solution but they all require patching to python or Django. I think if the client side JS does not need to access cookie value, which is true at least for authentication tokens, we should set that cookie httponly in order to prevent cookie stealing against cross-site scripting attacks. Is there any other good reason that django is not supporting this feature? Are we missing something here? Thank you very much. Best, --Yuchen yz...@virginia.edu Graduate student at Computer Science Dept. University of Virginia -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.