#16847 closed Cleanup/optimization (fixed)
Session Cookies should default to HttpOnly = True
| Reported by: | Paul McMillan | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 1.3 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The Session cookies that Django sets should default to HttpOnly = True. While this does not mitigate every form of session and cookie theft, it would improve security significantly. This is especially true in the cases where XSS is possible, despite our best efforts to stop it.
In 1.3, we added support for HttpOnly as the fix for #3304. The default setting then was False. For 1.4 it should be True. At this time, all major browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).
Applications which are directly accessing the session cookie with AJAX are probably doing it wrong. There's no legitimate reason this cookie needs to be available to scripts. If we make it unavailable to scripts, we make actually exploiting an XSS bug significantly more difficult.
Change History (5)
comment:1 by , 13 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 13 years ago
| milestone: | 1.4 |
|---|
comment:3 by , 13 years ago
I think the note in the 1.4 release notes needs to be under 'Backwards incompatible changes', because technically it is one, and not under 'minor new features'.
Milestone 1.4 deleted