Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #17766. Clarified HttpOnly flag on session cookie.

Thanks ptone for the patch!


git-svn-id: http://code.djangoproject.com/svn/django/trunk@17618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 2a4e49595acd263e9bac67c32b1683dc4310901b 1 parent 60119d4
Paul McMillan authored March 02, 2012
7  docs/releases/1.4-beta-1.txt
@@ -1112,8 +1112,11 @@ Session cookies now have the ``httponly`` flag by default
1112 1112
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1113 1113
 
1114 1114
 Session cookies now include the ``httponly`` attribute by default to
1115  
-help reduce the impact of potential XSS attacks. For strict backwards
1116  
-compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
  1115
+help reduce the impact of potential XSS attacks. As a consequence of
  1116
+this change, session cookie data, including sessionid, is no longer
  1117
+accessible from Javascript in many browsers. For strict backwards
  1118
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
  1119
+settings file.
1117 1120
 
1118 1121
 Wildcard expansion of application names in `INSTALLED_APPS`
1119 1122
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7  docs/releases/1.4.txt
@@ -998,8 +998,11 @@ Session cookies now have the ``httponly`` flag by default
998 998
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
999 999
 
1000 1000
 Session cookies now include the ``httponly`` attribute by default to
1001  
-help reduce the impact of potential XSS attacks. For strict backwards
1002  
-compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
  1001
+help reduce the impact of potential XSS attacks. As a consequence of
  1002
+this change, session cookie data, including sessionid, is no longer
  1003
+accessible from Javascript in many browsers. For strict backwards
  1004
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
  1005
+settings file.
1003 1006
 
1004 1007
 The :tfilter:`urlize` filter no longer escapes every URL
1005 1008
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0 notes on commit 2a4e495

Please sign in to comment.
Something went wrong with that request. Please try again.