Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#23149 closed Cleanup/optimization (fixed)

Confusing documentation on HTTPOnly with cookie backed sessions

Reported by: Sasha Romijn Owned by: nobody
Component: contrib.sessions Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Our documentation on cookie backed sessions says:

    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
    ``True`` to prevent tampering of the stored data from JavaScript.

This appears to imply that if you set SESSION_COOKIE_HTTPONLY to False, it is possible to tamper with the stored data. However, tampering is prevented not by HTTPONLY, but by the signature on the cookie, based on the secret key. Although disabling HTTPONLY would allow tampering from javascript, that tampering would still be immediately evident on the server side.

I propose changing this to:

    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
    ``True`` to prevent access to the stored data from JavaScript.

It's rather trivial, but as this is security documentation, I think it should still have a second pair of eyes.

Change History (6)

comment:1 Changed 4 years ago by Baptiste Mispelon

Triage Stage: UnreviewedReady for checkin

It makes sense to me.

Note that there seem to be a word missing from the sentence in the first place: "it's recommended to leave the SESSION_COOKIE_HTTPONLY setting to True".

comment:2 Changed 4 years ago by Erik Romijn <eromijn@…>

Resolution: fixed
Status: newclosed

In e26366da44bb343e7a95d01ff0dd18b8026c2802:

Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

comment:3 Changed 4 years ago by Erik Romijn <eromijn@…>

In a4eb5909588eb8be7e906206750d1b90c02ec4d1:

[1.7.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

comment:4 Changed 4 years ago by Erik Romijn <eromijn@…>

In 316178efe6308378f2b812f96a35f378c5003c08:

[1.6.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

comment:5 Changed 4 years ago by Erik Romijn <eromijn@…>

In 12ac0bb91bd2c18c06409e88b025f42cfe1ef555:

[1.5.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

comment:6 Changed 4 years ago by Erik Romijn <eromijn@…>

In bc03817b42900c24643aaa086cbbf41d96c08dde:

[1.4.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs

Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.

Note: See TracTickets for help on using tickets.
Back to Top