id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13347	XSS Attack prevention using HttpOnly	Jari Pennanen	nobody	"I've just read about [http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html Cookie setting called ""HttpOnly""], to me it seems like Django authentication and sessionid's should use that.

Currently Django logs in like this (Live HTTP Headers):

{{{
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/
}}}

After that hardening it would work like this:

{{{
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-Age=1209600; Path=/; HttpOnly
}}}

It could be option if someone ''really needs the session id'' in the javascript, maybe 99.9% of cases one never retrieves sessionid cookie by javascript so it would be wise to make this ''HttpOnly'' as default."		closed	contrib.auth	1.1		duplicate	security xss	Jari Pennanen	Unreviewed	0	0	0	0	0	0