Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#13347 closed (duplicate)

XSS Attack prevention using HttpOnly

Reported by: Jari Pennanen Owned by: nobody
Component: contrib.auth Version: 1.1
Severity: Keywords: security xss
Cc: Jari Pennanen Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I've just read about Cookie setting called "HttpOnly", to me it seems like Django authentication and sessionid's should use that.

Currently Django logs in like this (Live HTTP Headers):

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/

After that hardening it would work like this:

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly

It could be option if someone really needs the session id in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this HttpOnly as default.

Change History (2)

comment:1 Changed 7 years ago by Karen Tracey

Resolution: duplicate
Status: newclosed

Isn't this #3304?

comment:2 Changed 7 years ago by Jari Pennanen

You know, it is. I searched using "HttpOnly" from above search bar... Now I noticed the search bar does not search from tickets... Sorries.

Note: See TracTickets for help on using tickets.
Back to Top