Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#13347 closed (duplicate)

XSS Attack prevention using HttpOnly

Reported by: Ciantic Owned by: nobody
Component: contrib.auth Version: 1.1
Severity: Keywords: security xss
Cc: Ciantic Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I've just read about Cookie setting called "HttpOnly", to me it seems like Django authentication and sessionid's should use that.

Currently Django logs in like this (Live HTTP Headers):

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/

After that hardening it would work like this:

Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly

It could be option if someone really needs the session id in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this HttpOnly as default.

Change History (2)

comment:1 Changed 5 years ago by kmtracey

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Isn't this #3304?

comment:2 Changed 5 years ago by Ciantic

You know, it is. I searched using "HttpOnly" from above search bar... Now I noticed the search bar does not search from tickets... Sorries.

Note: See TracTickets for help on using tickets.
Back to Top