Index: conf/global_settings.py =================================================================== --- conf/global_settings.py (revision 4750) +++ conf/global_settings.py (working copy) @@ -264,6 +264,7 @@ SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only). SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request. SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether sessions expire when a user closes his browser. +SESSION_HTTP_ONLY = False # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others) ######### # CACHE # Index: contrib/sessions/middleware.py =================================================================== --- contrib/sessions/middleware.py (revision 4750) +++ contrib/sessions/middleware.py (working copy) @@ -94,5 +94,6 @@ datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE)) response.set_cookie(settings.SESSION_COOKIE_NAME, session_key, max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, - secure=settings.SESSION_COOKIE_SECURE or None) + secure=settings.SESSION_COOKIE_SECURE or None, + httponly=settings.SESSION_HTTP_ONLY or None) return response Index: http/__init__.py =================================================================== --- http/__init__.py (revision 4750) +++ http/__init__.py (working copy) @@ -1,5 +1,5 @@ import os -from Cookie import SimpleCookie +from Cookie import SimpleCookie, Morsel from pprint import pformat from urllib import urlencode, quote from django.utils.datastructures import MultiValueDict @@ -153,6 +153,33 @@ cookiedict[key] = c.get(key).value return cookiedict +class MorselWrapper(Morsel): + " Identical to Cookie.Moresel but intercepts httponly-aware " + def __setitem__(self, K, V): + K = K.lower() + if K == "httponly": + if V: + self.__dict__.__setitem__(K, "") + else: + super(MorselWrapper, self).__setitem__(K, V) + + def OutputString(self, attrs=None): + output = super(MorselWrapper, self).OutputString(attrs) + if "httponly" in self.__dict__: + output += "; httpOnly" + return output + +class SimpleCookieWrapper(SimpleCookie): + " Identical to Cookie.SimpleCookie but intercepts cookie creation to use MorselWrapper " + def __set(self, key, real_value, coded_value): + M = self.get(key, MorselWrapper()) + M.set(key, real_value, coded_value) + dict.__setitem__(self, key, M) + + def __setitem__(self, key, value): + rval, cval = self.value_encode(value) + self.__set(key, rval, cval) + class HttpResponse(object): "A basic HTTP response, with content and dictionary-accessed headers" def __init__(self, content='', mimetype=None): @@ -167,7 +194,7 @@ self._container = [content] self._is_string = True self.headers = {'Content-Type': mimetype} - self.cookies = SimpleCookie() + self.cookies = SimpleCookieWrapper() self.status_code = 200 def __str__(self): @@ -196,9 +223,9 @@ return True return False - def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None): + def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=None): self.cookies[key] = value - for var in ('max_age', 'path', 'domain', 'secure', 'expires'): + for var in ('max_age', 'path', 'domain', 'secure', 'expires', 'httponly'): val = locals()[var] if val is not None: self.cookies[key][var.replace('_', '-')] = val