#13347 closed (duplicate)
XSS Attack prevention using HttpOnly
Reported by: | Jari Pennanen | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.1 |
Severity: | Keywords: | security xss | |
Cc: | Jari Pennanen | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I've just read about Cookie setting called "HttpOnly", to me it seems like Django authentication and sessionid's should use that.
Currently Django logs in like this (Live HTTP Headers):
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/
After that hardening it would work like this:
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly
It could be option if someone really needs the session id in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this HttpOnly as default.
Change History (2)
comment:1 by , 15 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
comment:2 by , 15 years ago
You know, it is. I searched using "HttpOnly" from above search bar... Now I noticed the search bar does not search from tickets... Sorries.
Isn't this #3304?