diff options
| author | Russell Keith-Magee <russell@keith-magee.com> | 2010-11-26 13:30:50 +0000 |
|---|---|---|
| committer | Russell Keith-Magee <russell@keith-magee.com> | 2010-11-26 13:30:50 +0000 |
| commit | 78be884ea788835ad98ad433862a82cf192c3d4f (patch) | |
| tree | 847a8e79b97f45de19f0c288e485a969237b3699 /docs/ref/request-response.txt | |
| parent | ba21814583e5e3a4fafc4f5f34a26b6acdfb7590 (diff) | |
Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs/ref/request-response.txt')
| -rw-r--r-- | docs/ref/request-response.txt | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt index 7f2284f9f5..cc89229725 100644 --- a/docs/ref/request-response.txt +++ b/docs/ref/request-response.txt @@ -566,7 +566,13 @@ Methods Returns ``True`` or ``False`` based on a case-insensitive check for a header with the given name. -.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None) +.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False) + + .. versionchanged:: 1.3 + + The possibility of specifying a ``datetime.datetime`` object in + ``expires``, and the auto-calculation of ``max_age`` in such case + was added. The ``httponly`` argument was also added. Sets a cookie. The parameters are the same as in the `cookie Morsel`_ object in the Python standard library. @@ -583,14 +589,18 @@ Methods the domains www.lawrence.com, blogs.lawrence.com and calendars.lawrence.com. Otherwise, a cookie will only be readable by the domain that set it. + * Use ``http_only=True`` if you want to prevent client-side + JavaScript from having access to the cookie. - .. _`cookie Morsel`: http://docs.python.org/library/cookie.html#Cookie.Morsel + HTTPOnly_ is a flag included in a Set-Cookie HTTP response + header. It is not part of the RFC2109 standard for cookies, + and it isn't honored consistently by all browsers. However, + when it is honored, it can be a useful way to mitigate the + risk of client side script accessing the protected cookie + data. - .. versionchanged:: 1.3 - - Both the possibility of specifying a ``datetime.datetime`` object in - ``expires`` and the auto-calculation of ``max_age`` in such case were added - in Django 1.3. + .. _`cookie Morsel`: http://docs.python.org/library/cookie.html#Cookie.Morsel + .. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly .. method:: HttpResponse.delete_cookie(key, path='/', domain=None) |