mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 02:48:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.

Browse source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2010-11-26 13:30:50 +00:00
parent ba21814583
commit 78be884ea7
9 changed files with 150 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

24
docs/ref/request-response.txt
View file

@ -566,7 +566,13 @@ Methods
Returns ``True`` or ``False`` based on a case-insensitive check for a
header with the given name.
.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None)
.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
.. versionchanged:: 1.3
The possibility of specifying a ``datetime.datetime`` object in
``expires``, and the auto-calculation of ``max_age`` in such case
was added. The ``httponly`` argument was also added.
Sets a cookie. The parameters are the same as in the `cookie Morsel`_
object in the Python standard library.
@ -583,14 +589,18 @@ Methods
the domains www.lawrence.com, blogs.lawrence.com and
calendars.lawrence.com. Otherwise, a cookie will only be readable by
the domain that set it.
* Use ``http_only=True`` if you want to prevent client-side
JavaScript from having access to the cookie.
HTTPOnly_ is a flag included in a Set-Cookie HTTP response
header. It is not part of the RFC2109 standard for cookies,
and it isn't honored consistently by all browsers. However,
when it is honored, it can be a useful way to mitigate the
risk of client side script accessing the protected cookie
data.
.. _`cookie Morsel`: http://docs.python.org/library/cookie.html#Cookie.Morsel
.. versionchanged:: 1.3
Both the possibility of specifying a ``datetime.datetime`` object in
``expires`` and the auto-calculation of ``max_age`` in such case were added
in Django 1.3.
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
.. method:: HttpResponse.delete_cookie(key, path='/', domain=None)

19
docs/ref/settings.txt
View file

@ -1392,6 +1392,25 @@ The domain to use for session cookies. Set this to a string such as
``".lawrence.com"`` for cross-domain cookies, or use ``None`` for a standard
domain cookie. See the :doc:`/topics/http/sessions`.
.. setting:: SESSION_COOKIE_HTTPONLY
SESSION_COOKIE_HTTPONLY
-----------------------
Default: ``False``
Whether to use HTTPOnly flag on the session cookie. If this is set to
``True``, client-side JavaScript will not to be able to access the
session cookie.
HTTPOnly_ is a flag included in a Set-Cookie HTTP response header. It
is not part of the RFC2109 standard for cookies, and it isn't honored
consistently by all browsers. However, when it is honored, it can be a
useful way to mitigate the risk of client side script accessing the
protected cookie data.
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
.. setting:: SESSION_COOKIE_NAME
SESSION_COOKIE_NAME