#13347 closed (duplicate)
XSS Attack prevention using HttpOnly
| Reported by: | Jari Pennanen | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.1 |
| Severity: | Keywords: | security xss | |
| Cc: | Jari Pennanen | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I've just read about Cookie setting called "HttpOnly", to me it seems like Django authentication and sessionid's should use that.
Currently Django logs in like this (Live HTTP Headers):
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/
After that hardening it would work like this:
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly
It could be option if someone really needs the session id in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this HttpOnly as default.
Change History (2)
comment:1 by , 16 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
comment:2 by , 16 years ago
You know, it is. I searched using "HttpOnly" from above search bar... Now I noticed the search bar does not search from tickets... Sorries.
Note:
See TracTickets
for help on using tickets.
Isn't this #3304?