Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#16847 closed Cleanup/optimization (fixed)

Session Cookies should default to HttpOnly = True

Reported by: Paul McMillan Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The Session cookies that Django sets should default to HttpOnly = True. While this does not mitigate every form of session and cookie theft, it would improve security significantly. This is especially true in the cases where XSS is possible, despite our best efforts to stop it.

In 1.3, we added support for HttpOnly as the fix for #3304. The default setting then was False. For 1.4 it should be True. At this time, all major browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).

Applications which are directly accessing the session cookie with AJAX are probably doing it wrong. There's no legitimate reason this cookie needs to be available to scripts. If we make it unavailable to scripts, we make actually exploiting an XSS bug significantly more difficult.

Change History (5)

comment:1 Changed 5 years ago by Alex Gaynor

Triage Stage: UnreviewedAccepted

comment:2 Changed 5 years ago by Jacob

milestone: 1.4

Milestone 1.4 deleted

comment:2 Changed 5 years ago by Paul McMillan

Resolution: fixed
Status: newclosed

In [17135]:

Fixed #16847. Session Cookies now default to httponly = True.

comment:3 Changed 5 years ago by Luke Plant

I think the note in the 1.4 release notes needs to be under 'Backwards incompatible changes', because technically it is one, and not under 'minor new features'.

comment:4 Changed 5 years ago by Paul McMillan

You're right, it was in the wrong place. Fixed that and improved the tests a bit in r17140 and r17141.

Note: See TracTickets for help on using tickets.
Back to Top