Ticket #3304: httponly_docs.patch

request_response.txt

@@ -364 +364 @@
-    Returns ``True`` or ``False`` based on a case-insensitive check for a
-    header with the given name.
-
-
+, httponly=None
-    Sets a cookie. The parameters are the same as in the `cookie Morsel`_
-
+, aside from ``httponly``
-
-        * ``max_age`` should be a number of seconds, or ``None`` (default) if
-          the cookie should last only as long as the client's browser session.
@@ -377 +377 @@
-          the domains www.lawrence.com, blogs.lawrence.com and
-          calendars.lawrence.com. Otherwise, a cookie will only be readable by
-          the domain that set it.
+        * Use ``httponly`` set to ``True`` to set non-standard HttpOnly Cookie
+          flag to disallow access to this cookie via JavaScript. Not all browsers
+          honor this flag. See the `session docs`_.
-
+    .. _session docs: ../sessions/
-    .. _`cookie Morsel`: http://www.python.org/doc/current/lib/morsel-objects.html
-
-``delete_cookie(key, path='/', domain=None)``

sessions.txt

@@ -288 +288 @@
-(default), then the session data will only be saved if it has been modified --
-that is, if any of its dictionary values have been assigned or deleted.
-
+SESSION_HTTP_ONLY
+-----------------
+
+Default: ``False``
+
+Whether to use the non-standard HttpOnly Cookie flag. Some browsers, notably
+Internet Explorer and upcoming Firefox 3, allow cookies to be sent as HTTP-only.
+These cookies cannot be read using JavaScript, minimizing cross-site scripting
+attacks for user agents that support it.
+
-.. _Django settings: ../settings/
-
-Technical details

settings.txt

@@ -736 +736 @@
-
-Whether to save the session data on every request. See the `session docs`_.
-
+SESSION_HTTP_ONLY
+-----------------
+
+Default: ``False``
+
+Whether to use the non-standard HttOnly Cookie flag. See the `session docs`_.
+
-SITE_ID
--------
-