summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorPaul McMillan <Paul@McMillan.ws>2011-11-21 22:03:03 +0000
committerPaul McMillan <Paul@McMillan.ws>2011-11-21 22:03:03 +0000
commit4d975b4f882eb2a68da02e069aa1debb99073497 (patch)
tree00ef324a8e80042accaf05fd122cf03c60ce0740 /docs
parent43c5d35315299330aaca1e2aab6fd2548eff7fcb (diff)
Fixed #16847. Session Cookies now default to httponly = True.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/request-response.txt8
-rw-r--r--docs/releases/1.4.txt11
-rw-r--r--docs/topics/http/sessions.txt6
3 files changed, 16 insertions, 9 deletions
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt
index f0ec7cf237..228b69ebe2 100644
--- a/docs/ref/request-response.txt
+++ b/docs/ref/request-response.txt
@@ -638,7 +638,7 @@ Methods
Returns ``True`` or ``False`` based on a case-insensitive check for a
header with the given name.
-.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
+.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
.. versionchanged:: 1.3
@@ -646,6 +646,10 @@ Methods
``expires``, and the auto-calculation of ``max_age`` in such case
was added. The ``httponly`` argument was also added.
+ .. versionchanged:: 1.4
+
+ The default value for httponly was changed from ``False`` to ``True``.
+
Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel`
object in the Python standard library.
@@ -673,7 +677,7 @@ Methods
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
-.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
+.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
.. versionadded:: 1.4
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index 46527da581..b611626099 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -451,10 +451,10 @@ Minor features
Django 1.4 also includes several smaller improvements worth noting:
-* A more usable stacktrace in the technical 500 page: frames in the stack
- trace which reference Django's code are dimmed out, while frames in user
- code are slightly emphasized. This change makes it easier to scan a stacktrace
- for issues in user code.
+* A more usable stacktrace in the technical 500 page: frames in the
+ stack trace which reference Django's code are dimmed out, while
+ frames in user code are slightly emphasized. This change makes it
+ easier to scan a stacktrace for issues in user code.
* :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
@@ -498,6 +498,9 @@ Django 1.4 also includes several smaller improvements worth noting:
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
command.
+* Changed the default value for ``httponly`` on session cookies to
+ ``True`` to help reduce the impact of potential XSS attacks.
+
.. _backwards-incompatible-changes-1.4:
Backwards incompatible changes in 1.4
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index 2f13c9662a..dcd4ea2c74 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -110,8 +110,8 @@ and the :setting:`SECRET_KEY` setting.
.. note::
- It's recommended to set the :setting:`SESSION_COOKIE_HTTPONLY` setting
- to ``True`` to prevent tampering of the stored data from JavaScript.
+ It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
+ ``True`` to prevent tampering of the stored data from JavaScript.
.. warning::
@@ -504,7 +504,7 @@ The domain to use for session cookies. Set this to a string such as
SESSION_COOKIE_HTTPONLY
-----------------------
-Default: ``False``
+Default: ``True``
Whether to use HTTPOnly flag on the session cookie. If this is set to
``True``, client-side JavaScript will not to be able to access the