Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#23149 closed Cleanup/optimization (fixed)

Confusing documentation on HTTPOnly with cookie backed sessions

Reported by: Sasha Romijn Owned by: nobody
Component: contrib.sessions Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Our documentation on cookie backed sessions says:

    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
    ``True`` to prevent tampering of the stored data from JavaScript.

This appears to imply that if you set SESSION_COOKIE_HTTPONLY to False, it is possible to tamper with the stored data. However, tampering is prevented not by HTTPONLY, but by the signature on the cookie, based on the secret key. Although disabling HTTPONLY would allow tampering from javascript, that tampering would still be immediately evident on the server side.

I propose changing this to:

    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
    ``True`` to prevent access to the stored data from JavaScript.

It's rather trivial, but as this is security documentation, I think it should still have a second pair of eyes.

Change History (6)

comment:1 by Baptiste Mispelon, 10 years ago

Triage Stage: UnreviewedReady for checkin

It makes sense to me.

Note that there seem to be a word missing from the sentence in the first place: "it's recommended to leave the SESSION_COOKIE_HTTPONLY setting to True".

comment:2 by Erik Romijn <eromijn@…>, 10 years ago

Resolution: fixed
Status: newclosed

In e26366da44bb343e7a95d01ff0dd18b8026c2802:

Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

comment:3 by Erik Romijn <eromijn@…>, 10 years ago

In a4eb5909588eb8be7e906206750d1b90c02ec4d1:

[1.7.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

comment:4 by Erik Romijn <eromijn@…>, 10 years ago

In 316178efe6308378f2b812f96a35f378c5003c08:

[1.6.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

comment:5 by Erik Romijn <eromijn@…>, 10 years ago

In 12ac0bb91bd2c18c06409e88b025f42cfe1ef555:

[1.5.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

comment:6 by Erik Romijn <eromijn@…>, 10 years ago

In bc03817b42900c24643aaa086cbbf41d96c08dde:

[1.4.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

Note: See TracTickets for help on using tickets.
Back to Top