#23149 closed Cleanup/optimization (fixed)
Confusing documentation on HTTPOnly with cookie backed sessions
| Reported by: | Sasha Romijn | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Our documentation on cookie backed sessions says:
It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
``True`` to prevent tampering of the stored data from JavaScript.
This appears to imply that if you set SESSION_COOKIE_HTTPONLY to False, it is possible to tamper with the stored data. However, tampering is prevented not by HTTPONLY, but by the signature on the cookie, based on the secret key. Although disabling HTTPONLY would allow tampering from javascript, that tampering would still be immediately evident on the server side.
I propose changing this to:
It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
``True`` to prevent access to the stored data from JavaScript.
It's rather trivial, but as this is security documentation, I think it should still have a second pair of eyes.
Change History (6)
comment:1 Changed 9 years ago by
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
comment:2 Changed 9 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
It makes sense to me.
Note that there seem to be a word missing from the sentence in the first place: "it's recommended to leave the SESSION_COOKIE_HTTPONLY setting to True".