Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#16847 closed Cleanup/optimization (fixed)

Session Cookies should default to HttpOnly = True

Reported by: PaulM Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The Session cookies that Django sets should default to HttpOnly = True. While this does not mitigate every form of session and cookie theft, it would improve security significantly. This is especially true in the cases where XSS is possible, despite our best efforts to stop it.

In 1.3, we added support for HttpOnly as the fix for #3304. The default setting then was False. For 1.4 it should be True. At this time, all major browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).

Applications which are directly accessing the session cookie with AJAX are probably doing it wrong. There's no legitimate reason this cookie needs to be available to scripts. If we make it unavailable to scripts, we make actually exploiting an XSS bug significantly more difficult.

Change History (5)

comment:1 Changed 4 years ago by Alex

  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 4 years ago by jacob

  • milestone 1.4 deleted

Milestone 1.4 deleted

comment:2 Changed 4 years ago by PaulM

  • Resolution set to fixed
  • Status changed from new to closed

In [17135]:

Fixed #16847. Session Cookies now default to httponly = True.

comment:3 Changed 4 years ago by lukeplant

I think the note in the 1.4 release notes needs to be under 'Backwards incompatible changes', because technically it is one, and not under 'minor new features'.

comment:4 Changed 4 years ago by PaulM

You're right, it was in the wrong place. Fixed that and improved the tests a bit in r17140 and r17141.

Note: See TracTickets for help on using tickets.
Back to Top