Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#13347 closed (duplicate)

XSS Attack prevention using HttpOnly

Reported by: Jari Pennanen Owned by: nobody
Component: contrib.auth Version: 1.1
Severity: Keywords: security xss
Cc: Jari Pennanen Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no
Pull Requests:How to create a pull request

Description

I've just read about Cookie setting called "HttpOnly", to me it seems like Django authentication and sessionid's should use that.

Currently Django logs in like this (Live HTTP Headers):

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/

After that hardening it would work like this:

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly

It could be option if someone really needs the session id in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this HttpOnly as default.

Change History (2)

comment:1 by Karen Tracey, 15 years ago

Resolution: duplicate
Status: newclosed

Isn't this #3304?

comment:2 by Jari Pennanen, 15 years ago

You know, it is. I searched using "HttpOnly" from above search bar... Now I noticed the search bar does not search from tickets... Sorries.

Note: See TracTickets for help on using tickets.
Back to Top