p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #16847. Session Cookies now default to httponly = True. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Paul McMillan 2011-11-21 22:03:03 +00:00
parent 43c5d35315
commit 4d975b4f88
5 changed files with 40 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/conf/global_settings.py
View File

@ -445,7 +445,7 @@ SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seco
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie. SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only). SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
SESSION_COOKIE_PATH = '/' # The path of the session cookie. SESSION_COOKIE_PATH = '/' # The path of the session cookie.
SESSION_COOKIE_HTTPONLY = False # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others) SESSION_COOKIE_HTTPONLY = True # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request. SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed. SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed.
SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data

25
django/contrib/sessions/tests.py
View File

@ -343,7 +343,8 @@ class SessionMiddlewareTests(unittest.TestCase):
# Handle the response through the middleware # Handle the response through the middleware
response = middleware.process_response(request, response) response = middleware.process_response(request, response)
self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure']) self.assertTrue(
response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
@override_settings(SESSION_COOKIE_HTTPONLY=True) @override_settings(SESSION_COOKIE_HTTPONLY=True)
def test_httponly_session_cookie(self): def test_httponly_session_cookie(self):
@ -357,7 +358,27 @@ class SessionMiddlewareTests(unittest.TestCase):
# Handle the response through the middleware # Handle the response through the middleware
response = middleware.process_response(request, response) response = middleware.process_response(request, response)
self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']) self.assertTrue(
response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
self.assertIn('httponly',
str(response.cookies[settings.SESSION_COOKIE_NAME]))
@override_settings(SESSION_COOKIE_HTTPONLY=False)
def test_no_httponly_session_cookie(self):
request = RequestFactory().get('/')
response = HttpResponse('Session test')
middleware = SessionMiddleware()
# Simulate a request the modifies the session
middleware.process_request(request)
request.session['hello'] = 'world'
# Handle the response through the middleware
response = middleware.process_response(request, response)
self.assertFalse(
response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
self.assertNotIn('httponly',
str(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']))
class CookieSessionTests(SessionTestsMixin, TestCase): class CookieSessionTests(SessionTestsMixin, TestCase):

8
docs/ref/request-response.txt
View File

@ -638,7 +638,7 @@ Methods
Returns ``True`` or ``False`` based on a case-insensitive check for a Returns ``True`` or ``False`` based on a case-insensitive check for a
header with the given name. header with the given name.
.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False) .. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
.. versionchanged:: 1.3 .. versionchanged:: 1.3
@ -646,6 +646,10 @@ Methods
``expires``, and the auto-calculation of ``max_age`` in such case ``expires``, and the auto-calculation of ``max_age`` in such case
was added. The ``httponly`` argument was also added. was added. The ``httponly`` argument was also added.
.. versionchanged:: 1.4
The default value for httponly was changed from ``False`` to ``True``.
Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel` Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel`
object in the Python standard library. object in the Python standard library.
@ -673,7 +677,7 @@ Methods
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly .. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False) .. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
.. versionadded:: 1.4 .. versionadded:: 1.4

11
docs/releases/1.4.txt
View File

@ -451,10 +451,10 @@ Minor features
Django 1.4 also includes several smaller improvements worth noting: Django 1.4 also includes several smaller improvements worth noting:
* A more usable stacktrace in the technical 500 page: frames in the stack * A more usable stacktrace in the technical 500 page: frames in the
trace which reference Django's code are dimmed out, while frames in user stack trace which reference Django's code are dimmed out, while
code are slightly emphasized. This change makes it easier to scan a stacktrace frames in user code are slightly emphasized. This change makes it
for issues in user code. easier to scan a stacktrace for issues in user code.
* :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL. * :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
@ -498,6 +498,9 @@ Django 1.4 also includes several smaller improvements worth noting:
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages` * Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
command. command.
* Changed the default value for ``httponly`` on session cookies to
``True`` to help reduce the impact of potential XSS attacks.
.. _backwards-incompatible-changes-1.4: .. _backwards-incompatible-changes-1.4:
Backwards incompatible changes in 1.4 Backwards incompatible changes in 1.4

6
docs/topics/http/sessions.txt
View File

@ -110,8 +110,8 @@ and the :setting:`SECRET_KEY` setting.
.. note:: .. note::
It's recommended to set the :setting:`SESSION_COOKIE_HTTPONLY` setting It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
to ``True`` to prevent tampering of the stored data from JavaScript. ``True`` to prevent tampering of the stored data from JavaScript.
.. warning:: .. warning::
@ -504,7 +504,7 @@ The domain to use for session cookies. Set this to a string such as
SESSION_COOKIE_HTTPONLY SESSION_COOKIE_HTTPONLY
----------------------- -----------------------
Default: ``False`` Default: ``True``
Whether to use HTTPOnly flag on the session cookie. If this is set to Whether to use HTTPOnly flag on the session cookie. If this is set to
``True``, client-side JavaScript will not to be able to access the ``True``, client-side JavaScript will not to be able to access the