summaryrefslogtreecommitdiff
path: root/django
diff options
context:
space:
mode:
authorPaul McMillan <Paul@McMillan.ws>2011-11-21 22:03:03 +0000
committerPaul McMillan <Paul@McMillan.ws>2011-11-21 22:03:03 +0000
commit4d975b4f882eb2a68da02e069aa1debb99073497 (patch)
tree00ef324a8e80042accaf05fd122cf03c60ce0740 /django
parent43c5d35315299330aaca1e2aab6fd2548eff7fcb (diff)
Fixed #16847. Session Cookies now default to httponly = True.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django')
-rw-r--r--django/conf/global_settings.py2
-rw-r--r--django/contrib/sessions/tests.py25
2 files changed, 24 insertions, 3 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 2ef2f63618..0aee63dbc3 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -445,7 +445,7 @@ SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seco
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
SESSION_COOKIE_PATH = '/' # The path of the session cookie.
-SESSION_COOKIE_HTTPONLY = False # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
+SESSION_COOKIE_HTTPONLY = True # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed.
SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data
diff --git a/django/contrib/sessions/tests.py b/django/contrib/sessions/tests.py
index ce39fef0ad..58d052d67b 100644
--- a/django/contrib/sessions/tests.py
+++ b/django/contrib/sessions/tests.py
@@ -343,7 +343,8 @@ class SessionMiddlewareTests(unittest.TestCase):
# Handle the response through the middleware
response = middleware.process_response(request, response)
- self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
+ self.assertTrue(
+ response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
@override_settings(SESSION_COOKIE_HTTPONLY=True)
def test_httponly_session_cookie(self):
@@ -357,7 +358,27 @@ class SessionMiddlewareTests(unittest.TestCase):
# Handle the response through the middleware
response = middleware.process_response(request, response)
- self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+ self.assertTrue(
+ response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+ self.assertIn('httponly',
+ str(response.cookies[settings.SESSION_COOKIE_NAME]))
+
+ @override_settings(SESSION_COOKIE_HTTPONLY=False)
+ def test_no_httponly_session_cookie(self):
+ request = RequestFactory().get('/')
+ response = HttpResponse('Session test')
+ middleware = SessionMiddleware()
+
+ # Simulate a request the modifies the session
+ middleware.process_request(request)
+ request.session['hello'] = 'world'
+
+ # Handle the response through the middleware
+ response = middleware.process_response(request, response)
+ self.assertFalse(
+ response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
+ self.assertNotIn('httponly',
+ str(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']))
class CookieSessionTests(SessionTestsMixin, TestCase):