[#1941] Docs and changelog for HttpOnly flag

ckan · Nov 14, 2014 · 33ac024 · 33ac024
1 parent 629e466
commit 33ac024
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -35,6 +35,11 @@ API changes and deprecations
   ``*``. To re-enable CORS, use the new ``ckan.cors`` settings detailed in the
   Config File Options documentation (:doc:`/maintaining/configuration`)
 
+* The HttpOnly flag will be set on the authorization cookie by default. For
+  enhanced security, we recommend using the HttpOnly flag, but this behaviour
+  can be changed in the ``Repoze.who`` settings detailed in the Config File
+  Options documentation (:doc: `/maintaining/configuration`)
+
 Template changes
 ----------------
 

diff --git a/doc/maintaining/configuration.rst b/doc/maintaining/configuration.rst
@@ -60,6 +60,24 @@ files, and enables CKAN templates' debugging features.
    commands.
 
 
+Repoze.who Settings
+-------------------
+
+.. _who.httponly:
+
+who.httponly
+^^^^^^^^^^^
+
+Example::
+
+ who.httponly = False
+
+Default value: True
+
+This determines whether the HttpOnly flag will be set on the repoze.who
+authorization cookie. The default in the absence of the setting is ``True``.
+
+
 Database Settings
 -----------------