Session Cookies should default to HttpOnly = True
|Reported by:||PaulM||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The Session cookies that Django sets should default to HttpOnly = True. While this does not mitigate every form of session and cookie theft, it would improve security significantly. This is especially true in the cases where XSS is possible, despite our best efforts to stop it.
In 1.3, we added support for HttpOnly as the fix for #3304. The default setting then was False. For 1.4 it should be True. At this time, all major browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).
Applications which are directly accessing the session cookie with AJAX are probably doing it wrong. There's no legitimate reason this cookie needs to be available to scripts. If we make it unavailable to scripts, we make actually exploiting an XSS bug significantly more difficult.