Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-08-03 18:38:50 +00:00 · 2010-11-26 13:30:50 +00:00 · 2010-11-26 13:30:50 +00:00 · 78be884ea7
commit 78be884ea7
parent ba21814583
9 changed files with 150 additions and 13 deletions
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@ -457,6 +457,23 @@ The domain to use for session cookies. Set this to a string such as
 ``".lawrence.com"`` (note the leading dot!) for cross-domain cookies, or use
 ``None`` for a standard domain cookie.

+SESSION_COOKIE_HTTPONLY
+-----------------------
+
+Default: ``False``
+
+Whether to use HTTPOnly flag on the session cookie. If this is set to
+``True``, client-side JavaScript will not to be able to access the
+session cookie.
+
+HTTPOnly_ is a flag included in a Set-Cookie HTTP response header. It
+is not part of the RFC2109 standard for cookies, and it isn't honored
+consistently by all browsers. However, when it is honored, it can be a
+useful way to mitigate the risk of client side script accessing the
+protected cookie data.
+
+.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
+
 SESSION_COOKIE_NAME
 -------------------