Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #16847. Session Cookies now default to httponly = True.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 4d975b4f882eb2a68da02e069aa1debb99073497 1 parent 43c5d35
Paul McMillan authored November 21, 2011
2  django/conf/global_settings.py
@@ -445,7 +445,7 @@
445 445
 SESSION_COOKIE_DOMAIN = None                            # A string like ".lawrence.com", or None for standard domain cookie.
446 446
 SESSION_COOKIE_SECURE = False                           # Whether the session cookie should be secure (https:// only).
447 447
 SESSION_COOKIE_PATH = '/'                               # The path of the session cookie.
448  
-SESSION_COOKIE_HTTPONLY = False                         # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
  448
+SESSION_COOKIE_HTTPONLY = True                          # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
449 449
 SESSION_SAVE_EVERY_REQUEST = False                      # Whether to save the session data on every request.
450 450
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False                 # Whether a user's session cookie expires when the Web browser is closed.
451 451
 SESSION_ENGINE = 'django.contrib.sessions.backends.db'  # The module to store session data
25  django/contrib/sessions/tests.py
@@ -343,7 +343,8 @@ def test_secure_session_cookie(self):
343 343
 
344 344
         # Handle the response through the middleware
345 345
         response = middleware.process_response(request, response)
346  
-        self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
  346
+        self.assertTrue(
  347
+            response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
347 348
 
348 349
     @override_settings(SESSION_COOKIE_HTTPONLY=True)
349 350
     def test_httponly_session_cookie(self):
@@ -357,7 +358,27 @@ def test_httponly_session_cookie(self):
357 358
 
358 359
         # Handle the response through the middleware
359 360
         response = middleware.process_response(request, response)
360  
-        self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
  361
+        self.assertTrue(
  362
+            response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
  363
+        self.assertIn('httponly', 
  364
+            str(response.cookies[settings.SESSION_COOKIE_NAME]))
  365
+
  366
+    @override_settings(SESSION_COOKIE_HTTPONLY=False)
  367
+    def test_no_httponly_session_cookie(self):
  368
+        request = RequestFactory().get('/')
  369
+        response = HttpResponse('Session test')
  370
+        middleware = SessionMiddleware()
  371
+
  372
+        # Simulate a request the modifies the session
  373
+        middleware.process_request(request)
  374
+        request.session['hello'] = 'world'
  375
+
  376
+        # Handle the response through the middleware
  377
+        response = middleware.process_response(request, response)
  378
+        self.assertFalse(
  379
+            response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
  380
+        self.assertNotIn('httponly', 
  381
+            str(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']))
361 382
 
362 383
 
363 384
 class CookieSessionTests(SessionTestsMixin, TestCase):
8  docs/ref/request-response.txt
@@ -638,7 +638,7 @@ Methods
638 638
     Returns ``True`` or ``False`` based on a case-insensitive check for a
639 639
     header with the given name.
640 640
 
641  
-.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
  641
+.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
642 642
 
643 643
     .. versionchanged:: 1.3
644 644
 
@@ -646,6 +646,10 @@ Methods
646 646
     ``expires``, and the auto-calculation of ``max_age`` in such case
647 647
     was added. The ``httponly`` argument was also added.
648 648
 
  649
+    .. versionchanged:: 1.4
  650
+
  651
+    The default value for httponly was changed from ``False`` to ``True``.
  652
+
649 653
     Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel`
650 654
     object in the Python standard library.
651 655
 
@@ -673,7 +677,7 @@ Methods
673 677
 
674 678
     .. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
675 679
 
676  
-.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
  680
+.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
677 681
 
678 682
     .. versionadded:: 1.4
679 683
 
11  docs/releases/1.4.txt
@@ -451,10 +451,10 @@ Minor features
451 451
 
452 452
 Django 1.4 also includes several smaller improvements worth noting:
453 453
 
454  
-* A more usable stacktrace in the technical 500 page: frames in the stack
455  
-  trace which reference Django's code are dimmed out, while frames in user
456  
-  code are slightly emphasized. This change makes it easier to scan a stacktrace
457  
-  for issues in user code.
  454
+* A more usable stacktrace in the technical 500 page: frames in the
  455
+  stack trace which reference Django's code are dimmed out, while
  456
+  frames in user code are slightly emphasized. This change makes it
  457
+  easier to scan a stacktrace for issues in user code.
458 458
 
459 459
 * :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
460 460
 
@@ -498,6 +498,9 @@ Django 1.4 also includes several smaller improvements worth noting:
498 498
 * Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
499 499
   command.
500 500
 
  501
+* Changed the default value for ``httponly`` on session cookies to
  502
+  ``True`` to help reduce the impact of potential XSS attacks.
  503
+
501 504
 .. _backwards-incompatible-changes-1.4:
502 505
 
503 506
 Backwards incompatible changes in 1.4
6  docs/topics/http/sessions.txt
@@ -110,8 +110,8 @@ and the :setting:`SECRET_KEY` setting.
110 110
 
111 111
 .. note::
112 112
 
113  
-    It's recommended to set the :setting:`SESSION_COOKIE_HTTPONLY` setting
114  
-    to ``True`` to prevent tampering of the stored data from JavaScript.
  113
+    It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
  114
+    ``True`` to prevent tampering of the stored data from JavaScript.
115 115
 
116 116
 .. warning::
117 117
 
@@ -504,7 +504,7 @@ The domain to use for session cookies. Set this to a string such as
504 504
 SESSION_COOKIE_HTTPONLY
505 505
 -----------------------
506 506
 
507  
-Default: ``False``
  507
+Default: ``True``
508 508
 
509 509
 Whether to use HTTPOnly flag on the session cookie. If this is set to
510 510
 ``True``, client-side JavaScript will not to be able to access the

0 notes on commit 4d975b4

Please sign in to comment.
Something went wrong with that request. Please try again.