diff options
| author | Paul McMillan <Paul@McMillan.ws> | 2011-11-21 22:03:03 +0000 |
|---|---|---|
| committer | Paul McMillan <Paul@McMillan.ws> | 2011-11-21 22:03:03 +0000 |
| commit | 4d975b4f882eb2a68da02e069aa1debb99073497 (patch) | |
| tree | 00ef324a8e80042accaf05fd122cf03c60ce0740 /django | |
| parent | 43c5d35315299330aaca1e2aab6fd2548eff7fcb (diff) | |
Fixed #16847. Session Cookies now default to httponly = True.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django')
| -rw-r--r-- | django/conf/global_settings.py | 2 | ||||
| -rw-r--r-- | django/contrib/sessions/tests.py | 25 |
2 files changed, 24 insertions, 3 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index 2ef2f63618..0aee63dbc3 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -445,7 +445,7 @@ SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seco SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie. SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only). SESSION_COOKIE_PATH = '/' # The path of the session cookie. -SESSION_COOKIE_HTTPONLY = False # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others) +SESSION_COOKIE_HTTPONLY = True # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others) SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request. SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed. SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py index ce39fef0ad..58d052d67b 100644 --- a/django/contrib/sessions/tests.py +++ b/django/contrib/sessions/tests.py @@ -343,7 +343,8 @@ class SessionMiddlewareTests(unittest.TestCase): # Handle the response through the middleware response = middleware.process_response(request, response) - self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure']) + self.assertTrue( + response.cookies[settings.SESSION_COOKIE_NAME]['secure']) @override_settings(SESSION_COOKIE_HTTPONLY=True) def test_httponly_session_cookie(self): @@ -357,7 +358,27 @@ class SessionMiddlewareTests(unittest.TestCase): # Handle the response through the middleware response = middleware.process_response(request, response) - self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']) + self.assertTrue( + response.cookies[settings.SESSION_COOKIE_NAME]['httponly']) + self.assertIn('httponly', + str(response.cookies[settings.SESSION_COOKIE_NAME])) + + @override_settings(SESSION_COOKIE_HTTPONLY=False) + def test_no_httponly_session_cookie(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Simulate a request the modifies the session + middleware.process_request(request) + request.session['hello'] = 'world' + + # Handle the response through the middleware + response = middleware.process_response(request, response) + self.assertFalse( + response.cookies[settings.SESSION_COOKIE_NAME]['httponly']) + self.assertNotIn('httponly', + str(response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])) class CookieSessionTests(SessionTestsMixin, TestCase): |
