id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
16847	Session Cookies should default to HttpOnly = True	Paul McMillan	nobody	"The Session cookies that Django sets should default to `HttpOnly = True`. While this does not mitigate every form of session and cookie theft, it would improve security significantly. This is especially true in the cases where XSS is possible, despite our best efforts to stop it.

In 1.3, we added support for `HttpOnly` as the fix for #3304. The default setting then was False. For 1.4 it should be True. At this time, all major browsers fully support the setting (IE6+, FF2+, Safari, Opera, Chrome).

Applications which are directly accessing the session cookie with AJAX are probably doing it wrong. There's no legitimate reason this cookie needs to be available to scripts. If we make it unavailable to scripts, we make actually exploiting an XSS bug significantly more difficult.
"	Cleanup/optimization	closed	contrib.sessions	1.3	Normal	fixed			Accepted	0	0	0	0	0	0