id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
23149	Confusing documentation on HTTPOnly with cookie backed sessions	Sasha Romijn	nobody	"Our [[https://github.com/django/django/blob/master/docs/topics/http/sessions.txt#L126|documentation on cookie backed sessions]] says:
{{{
    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
    ``True`` to prevent tampering of the stored data from JavaScript.
}}}

This appears to imply that if you set `SESSION_COOKIE_HTTPONLY` to False, it is possible to tamper with the stored data. However, tampering is prevented not by HTTPONLY, but by the signature on the cookie, based on the secret key. Although disabling HTTPONLY would allow tampering from javascript, that tampering would still be immediately evident on the server side.

I propose changing this to:
{{{
    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
    ``True`` to prevent access to the stored data from JavaScript.
}}}

It's rather trivial, but as this is security documentation, I think it should still have a second pair of eyes."	Cleanup/optimization	closed	contrib.sessions	dev	Normal	fixed			Ready for checkin	0	0	0	0	0	0