From 4d975b4f882eb2a68da02e069aa1debb99073497 Mon Sep 17 00:00:00 2001 From: Paul McMillan Date: Mon, 21 Nov 2011 22:03:03 +0000 Subject: Fixed #16847. Session Cookies now default to httponly = True. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/topics/http/sessions.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs/topics/http') diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt index 2f13c9662a..dcd4ea2c74 100644 --- a/docs/topics/http/sessions.txt +++ b/docs/topics/http/sessions.txt @@ -110,8 +110,8 @@ and the :setting:`SECRET_KEY` setting. .. note:: - It's recommended to set the :setting:`SESSION_COOKIE_HTTPONLY` setting - to ``True`` to prevent tampering of the stored data from JavaScript. + It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting + ``True`` to prevent tampering of the stored data from JavaScript. .. warning:: @@ -504,7 +504,7 @@ The domain to use for session cookies. Set this to a string such as SESSION_COOKIE_HTTPONLY ----------------------- -Default: ``False`` +Default: ``True`` Whether to use HTTPOnly flag on the session cookie. If this is set to ``True``, client-side JavaScript will not to be able to access the -- cgit v1.3