On Jan 4, 7:47 am, Simon Willison <si...@simonwillison.net> wrote: > And set_signed_cookie() is here: > > http://github.com/simonw/django/blob/signed/django/http/__init__.py#L388 >
I am not that familiar with your framework, but I think a signed cookie should use http only cookies by default. There is no valid reason for a script to read a cookie that it can't verify. http only cookies significantly decrease the surface area of XSS attacks. Regards, John Campbell -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.