Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13347 closed (duplicate)

XSS Attack prevention using HttpOnly

Reported by: Ciantic Owned by: nobody
Component: contrib.auth Version: 1.1
Severity: Keywords: security xss
Cc: Ciantic Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


I've just read about Cookie setting called "HttpOnly", to me it seems like Django authentication and sessionid's should use that.

Currently Django logs in like this (Live HTTP Headers):

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/

After that hardening it would work like this:

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly

It could be option if someone really needs the session id in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this HttpOnly as default.

Attachments (0)

Change History (2)

comment:1 Changed 4 years ago by kmtracey

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Isn't this #3304?

comment:2 Changed 4 years ago by Ciantic

You know, it is. I searched using "HttpOnly" from above search bar... Now I noticed the search bar does not search from tickets... Sorries.

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.