#3304: [patch] Support "httponly"-attribute in session cookie. -------------------------------------+-------------------------------------- Reporter: arvin | Owner: nobody Status: new | Milestone: Component: Core framework | Version: SVN Resolution: | Keywords: session security Stage: Accepted | Has_patch: 1 Needs_docs: 0 | Needs_tests: 1 Needs_better_patch: 0 | -------------------------------------+-------------------------------------- Comment (by cyounkins):
"While HTTP-only cookies will prevent a certain class of attack from being possible, there is no evidence of an in-theory or an in-practice actual attack on code for which the Django project itself is responsible." This comment represents a serious flaw in the way Django developers are handling security. Django is a key part of any user-created applications, and thus the security of user applications is intertwined with the security of Django. Does Django have a vulnerability? No. Is Django empowering users to secure their apps? No. And I think it should. Django developers need to develop a sense of responsibility for the security of user applications. The responsibility is not Django's alone of course, and certainly the developer is also to blame, but framework developers need to provide usable security controls to aid users. -- Ticket URL: <http://code.djangoproject.com/ticket/3304#comment:29> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-upda...@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.