Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#16847 closed Cleanup/optimization (fixed)

Session Cookies should default to HttpOnly = True

Reported by: Paul McMillan Owned by: nobody
Component: contrib.sessions Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The Session cookies that Django sets should default to HttpOnly = True. While this does not mitigate every form of session and cookie theft, it would improve security significantly. This is especially true in the cases where XSS is possible, despite our best efforts to stop it.

In 1.3, we added support for HttpOnly as the fix for #3304. The default setting then was False. For 1.4 it should be True. At this time, all major browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).

Applications which are directly accessing the session cookie with AJAX are probably doing it wrong. There's no legitimate reason this cookie needs to be available to scripts. If we make it unavailable to scripts, we make actually exploiting an XSS bug significantly more difficult.

Change History (5)

comment:1 by Alex Gaynor, 13 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Jacob, 13 years ago

milestone: 1.4

Milestone 1.4 deleted

comment:2 by Paul McMillan, 13 years ago

Resolution: fixed
Status: newclosed

In [17135]:

Fixed #16847. Session Cookies now default to httponly = True.

comment:3 by Luke Plant, 13 years ago

I think the note in the 1.4 release notes needs to be under 'Backwards incompatible changes', because technically it is one, and not under 'minor new features'.

comment:4 by Paul McMillan, 13 years ago

You're right, it was in the wrong place. Fixed that and improved the tests a bit in r17140 and r17141.

Note: See TracTickets for help on using tickets.
Back to Top