#3304: [patch] Support "httponly"-attribute in session cookie.
-------------------------------------+--------------------------------------
Reporter: arvin | Owner: nobody
Status: new | Milestone:
Component: Core framework | Version: SVN
Resolution: | Keywords: session security
Stage: Accepted | Has_patch: 1
Needs_docs: 0 | Needs_tests: 1
Needs_better_patch: 0 |
-------------------------------------+--------------------------------------
Comment (by russellm):
@edevil -- No, it's not even slightly debatable. It adds a new setting and
a new argument where one didn't exist previously. It provides
functionality that didn't exist previously.
The functionality it is adding may be desirable, but it doesn't change the
fact that it's new functionality.
It's also not something covered by out security fix policy. While HTTP-
only cookies will prevent a certain class of attack from being possible,
there is no evidence of an in-theory or an in-practice actual attack on
code for which the Django project itself is responsible. If you can
demonstrate that (for example) every Django admin site is vulnerable
because of the non-use of HTTP-only cookies, *that* would be a security
issue triggering a security release. The fact that it is possible to build
a site that would be vulnerable to an attack that would be prevented by
the use of HTTP-only cookies does not make this a security issue for
Django as a project.
Sidebar: if you find such an attack, it should be reported to
secur...@djangoproject.com.
--
Ticket URL: <http://code.djangoproject.com/ticket/3304#comment:28>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
