#3304: [patch] Support "httponly"-attribute in session cookie.
-------------------------------------+--------------------------------------
Reporter: arvin | Owner: nobody
Status: new | Milestone:
Component: Core framework | Version: SVN
Resolution: | Keywords: session security
Stage: Accepted | Has_patch: 1
Needs_docs: 0 | Needs_tests: 1
Needs_better_patch: 0 |
-------------------------------------+--------------------------------------
Comment (by cyounkins):
"While HTTP-only cookies will prevent a certain class of attack from being
possible, there is no evidence of an in-theory or an in-practice actual
attack on code for which the Django project itself is responsible."
This comment represents a serious flaw in the way Django developers are
handling security. Django is a key part of any user-created applications,
and thus the security of user applications is intertwined with the
security of Django.
Does Django have a vulnerability? No. Is Django empowering users to secure
their apps? No. And I think it should.
Django developers need to develop a sense of responsibility for the
security of user applications. The responsibility is not Django's alone of
course, and certainly the developer is also to blame, but framework
developers need to provide usable security controls to aid users.
--
Ticket URL: <http://code.djangoproject.com/ticket/3304#comment:29>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-upda...@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
