Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #16847. Session Cookies now default to httponly = True.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 4d975b4f882eb2a68da02e069aa1debb99073497 1 parent 43c5d35
@PaulMcMillan PaulMcMillan authored
View
2  django/conf/global_settings.py
@@ -445,7 +445,7 @@
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
SESSION_COOKIE_PATH = '/' # The path of the session cookie.
-SESSION_COOKIE_HTTPONLY = False # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
+SESSION_COOKIE_HTTPONLY = True # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed.
SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data
View
25 django/contrib/sessions/tests.py
@@ -343,7 +343,8 @@ def test_secure_session_cookie(self):
# Handle the response through the middleware
response = middleware.process_response(request, response)
- self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
+ self.assertTrue(
+ response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
@override_settings(SESSION_COOKIE_HTTPONLY=True)
def test_httponly_session_cookie(self):
@@ -357,7 +358,27 @@ def test_httponly_session_cookie(self):
# Handle the response through the middleware
response = middleware.process_response(request, response)
- self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+ self.assertTrue(
+ response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+ self.assertIn('httponly',
+ str(response.cookies[settings.SESSION_COOKIE_NAME]))
+
+ @override_settings(SESSION_COOKIE_HTTPONLY=False)
+ def test_no_httponly_session_cookie(self):
+ request = RequestFactory().get('/')
+ response = HttpResponse('Session test')
+ middleware = SessionMiddleware()
+
+ # Simulate a request the modifies the session
+ middleware.process_request(request)
+ request.session['hello'] = 'world'
+
+ # Handle the response through the middleware
+ response = middleware.process_response(request, response)
+ self.assertFalse(
+ response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+ self.assertNotIn('httponly',
+ str(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']))
class CookieSessionTests(SessionTestsMixin, TestCase):
View
8 docs/ref/request-response.txt
@@ -638,7 +638,7 @@ Methods
Returns ``True`` or ``False`` based on a case-insensitive check for a
header with the given name.
-.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
+.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
.. versionchanged:: 1.3
@@ -646,6 +646,10 @@ Methods
``expires``, and the auto-calculation of ``max_age`` in such case
was added. The ``httponly`` argument was also added.
+ .. versionchanged:: 1.4
+
+ The default value for httponly was changed from ``False`` to ``True``.
+
Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel`
object in the Python standard library.
@@ -673,7 +677,7 @@ Methods
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
-.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
+.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
.. versionadded:: 1.4
View
11 docs/releases/1.4.txt
@@ -451,10 +451,10 @@ Minor features
Django 1.4 also includes several smaller improvements worth noting:
-* A more usable stacktrace in the technical 500 page: frames in the stack
- trace which reference Django's code are dimmed out, while frames in user
- code are slightly emphasized. This change makes it easier to scan a stacktrace
- for issues in user code.
+* A more usable stacktrace in the technical 500 page: frames in the
+ stack trace which reference Django's code are dimmed out, while
+ frames in user code are slightly emphasized. This change makes it
+ easier to scan a stacktrace for issues in user code.
* :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
@@ -498,6 +498,9 @@ Django 1.4 also includes several smaller improvements worth noting:
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
command.
+* Changed the default value for ``httponly`` on session cookies to
+ ``True`` to help reduce the impact of potential XSS attacks.
+
.. _backwards-incompatible-changes-1.4:
Backwards incompatible changes in 1.4
View
6 docs/topics/http/sessions.txt
@@ -110,8 +110,8 @@ and the :setting:`SECRET_KEY` setting.
.. note::
- It's recommended to set the :setting:`SESSION_COOKIE_HTTPONLY` setting
- to ``True`` to prevent tampering of the stored data from JavaScript.
+ It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
+ ``True`` to prevent tampering of the stored data from JavaScript.
.. warning::
@@ -504,7 +504,7 @@ The domain to use for session cookies. Set this to a string such as
SESSION_COOKIE_HTTPONLY
-----------------------
-Default: ``False``
+Default: ``True``
Whether to use HTTPOnly flag on the session cookie. If this is set to
``True``, client-side JavaScript will not to be able to access the

0 comments on commit 4d975b4

Please sign in to comment.
Something went wrong with that request. Please try again.