id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 13347,XSS Attack prevention using HttpOnly,Jari Pennanen,nobody,"I've just read about [http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html Cookie setting called ""HttpOnly""], to me it seems like Django authentication and sessionid's should use that. Currently Django logs in like this (Live HTTP Headers): {{{ Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/ }}} After that hardening it would work like this: {{{ Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly }}} It could be option if someone ''really needs the session id'' in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this ''HttpOnly'' as default.",,closed,contrib.auth,1.1,,duplicate,security xss,Jari Pennanen,Unreviewed,0,0,0,0,0,0