Fixed #17766. Clarified HttpOnly flag on session cookie.

Thanks ptone for the patch! git-svn-id: http://code.djangoproject.com/svn/django/trunk@17618 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Paul McMillan <Paul@McMillan.ws> 2012-03-02 04:22:16 +0000
committer: Paul McMillan <Paul@McMillan.ws> 2012-03-02 04:22:16 +0000
commit: 2a4e49595acd263e9bac67c32b1683dc4310901b (patch)
tree: a8616fdc1a5e160c6389a2897246a2fe92414fdf /docs/releases/1.4.txt
parent: 60119d4f49f78a635f801d53c102f1463e28fe8a (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index cce28d8c78..de4cdadc3c 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -998,8 +998,11 @@ Session cookies now have the ``httponly`` flag by default
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Session cookies now include the ``httponly`` attribute by default to
-help reduce the impact of potential XSS attacks. For strict backwards
-compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
+help reduce the impact of potential XSS attacks. As a consequence of
+this change, session cookie data, including sessionid, is no longer
+accessible from Javascript in many browsers. For strict backwards
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
+settings file.
 
 The :tfilter:`urlize` filter no longer escapes every URL
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
author	Paul McMillan <Paul@McMillan.ws>	2012-03-02 04:22:16 +0000
committer	Paul McMillan <Paul@McMillan.ws>	2012-03-02 04:22:16 +0000
commit	2a4e49595acd263e9bac67c32b1683dc4310901b (patch)
tree	a8616fdc1a5e160c6389a2897246a2fe92414fdf /docs/releases/1.4.txt
parent	60119d4f49f78a635f801d53c102f1463e28fe8a (diff)