mirror of https://github.com/django/django.git
Fixed #16847. Session Cookies now default to httponly = True.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17135 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
43c5d35315
commit
4d975b4f88
|
@ -445,7 +445,7 @@ SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seco
|
||||||
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
|
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
|
||||||
SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
|
SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
|
||||||
SESSION_COOKIE_PATH = '/' # The path of the session cookie.
|
SESSION_COOKIE_PATH = '/' # The path of the session cookie.
|
||||||
SESSION_COOKIE_HTTPONLY = False # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
|
SESSION_COOKIE_HTTPONLY = True # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
|
||||||
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
|
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
|
||||||
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed.
|
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether a user's session cookie expires when the Web browser is closed.
|
||||||
SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data
|
SESSION_ENGINE = 'django.contrib.sessions.backends.db' # The module to store session data
|
||||||
|
|
|
@ -343,7 +343,8 @@ class SessionMiddlewareTests(unittest.TestCase):
|
||||||
|
|
||||||
# Handle the response through the middleware
|
# Handle the response through the middleware
|
||||||
response = middleware.process_response(request, response)
|
response = middleware.process_response(request, response)
|
||||||
self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
|
self.assertTrue(
|
||||||
|
response.cookies[settings.SESSION_COOKIE_NAME]['secure'])
|
||||||
|
|
||||||
@override_settings(SESSION_COOKIE_HTTPONLY=True)
|
@override_settings(SESSION_COOKIE_HTTPONLY=True)
|
||||||
def test_httponly_session_cookie(self):
|
def test_httponly_session_cookie(self):
|
||||||
|
@ -357,7 +358,27 @@ class SessionMiddlewareTests(unittest.TestCase):
|
||||||
|
|
||||||
# Handle the response through the middleware
|
# Handle the response through the middleware
|
||||||
response = middleware.process_response(request, response)
|
response = middleware.process_response(request, response)
|
||||||
self.assertTrue(response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
|
self.assertTrue(
|
||||||
|
response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
|
||||||
|
self.assertIn('httponly',
|
||||||
|
str(response.cookies[settings.SESSION_COOKIE_NAME]))
|
||||||
|
|
||||||
|
@override_settings(SESSION_COOKIE_HTTPONLY=False)
|
||||||
|
def test_no_httponly_session_cookie(self):
|
||||||
|
request = RequestFactory().get('/')
|
||||||
|
response = HttpResponse('Session test')
|
||||||
|
middleware = SessionMiddleware()
|
||||||
|
|
||||||
|
# Simulate a request the modifies the session
|
||||||
|
middleware.process_request(request)
|
||||||
|
request.session['hello'] = 'world'
|
||||||
|
|
||||||
|
# Handle the response through the middleware
|
||||||
|
response = middleware.process_response(request, response)
|
||||||
|
self.assertFalse(
|
||||||
|
response.cookies[settings.SESSION_COOKIE_NAME]['httponly'])
|
||||||
|
self.assertNotIn('httponly',
|
||||||
|
str(response.cookies[settings.SESSION_COOKIE_NAME]['httponly']))
|
||||||
|
|
||||||
|
|
||||||
class CookieSessionTests(SessionTestsMixin, TestCase):
|
class CookieSessionTests(SessionTestsMixin, TestCase):
|
||||||
|
|
|
@ -638,7 +638,7 @@ Methods
|
||||||
Returns ``True`` or ``False`` based on a case-insensitive check for a
|
Returns ``True`` or ``False`` based on a case-insensitive check for a
|
||||||
header with the given name.
|
header with the given name.
|
||||||
|
|
||||||
.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
|
.. method:: HttpResponse.set_cookie(key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
|
||||||
|
|
||||||
.. versionchanged:: 1.3
|
.. versionchanged:: 1.3
|
||||||
|
|
||||||
|
@ -646,6 +646,10 @@ Methods
|
||||||
``expires``, and the auto-calculation of ``max_age`` in such case
|
``expires``, and the auto-calculation of ``max_age`` in such case
|
||||||
was added. The ``httponly`` argument was also added.
|
was added. The ``httponly`` argument was also added.
|
||||||
|
|
||||||
|
.. versionchanged:: 1.4
|
||||||
|
|
||||||
|
The default value for httponly was changed from ``False`` to ``True``.
|
||||||
|
|
||||||
Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel`
|
Sets a cookie. The parameters are the same as in the :class:`Cookie.Morsel`
|
||||||
object in the Python standard library.
|
object in the Python standard library.
|
||||||
|
|
||||||
|
@ -673,7 +677,7 @@ Methods
|
||||||
|
|
||||||
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
|
.. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly
|
||||||
|
|
||||||
.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=False)
|
.. method:: HttpResponse.set_signed_cookie(key, value='', salt='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=True)
|
||||||
|
|
||||||
.. versionadded:: 1.4
|
.. versionadded:: 1.4
|
||||||
|
|
||||||
|
|
|
@ -451,10 +451,10 @@ Minor features
|
||||||
|
|
||||||
Django 1.4 also includes several smaller improvements worth noting:
|
Django 1.4 also includes several smaller improvements worth noting:
|
||||||
|
|
||||||
* A more usable stacktrace in the technical 500 page: frames in the stack
|
* A more usable stacktrace in the technical 500 page: frames in the
|
||||||
trace which reference Django's code are dimmed out, while frames in user
|
stack trace which reference Django's code are dimmed out, while
|
||||||
code are slightly emphasized. This change makes it easier to scan a stacktrace
|
frames in user code are slightly emphasized. This change makes it
|
||||||
for issues in user code.
|
easier to scan a stacktrace for issues in user code.
|
||||||
|
|
||||||
* :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
|
* :doc:`Tablespace support </topics/db/tablespaces>` in PostgreSQL.
|
||||||
|
|
||||||
|
@ -498,6 +498,9 @@ Django 1.4 also includes several smaller improvements worth noting:
|
||||||
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
|
* Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
|
||||||
command.
|
command.
|
||||||
|
|
||||||
|
* Changed the default value for ``httponly`` on session cookies to
|
||||||
|
``True`` to help reduce the impact of potential XSS attacks.
|
||||||
|
|
||||||
.. _backwards-incompatible-changes-1.4:
|
.. _backwards-incompatible-changes-1.4:
|
||||||
|
|
||||||
Backwards incompatible changes in 1.4
|
Backwards incompatible changes in 1.4
|
||||||
|
|
|
@ -110,8 +110,8 @@ and the :setting:`SECRET_KEY` setting.
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
It's recommended to set the :setting:`SESSION_COOKIE_HTTPONLY` setting
|
It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY` setting
|
||||||
to ``True`` to prevent tampering of the stored data from JavaScript.
|
``True`` to prevent tampering of the stored data from JavaScript.
|
||||||
|
|
||||||
.. warning::
|
.. warning::
|
||||||
|
|
||||||
|
@ -504,7 +504,7 @@ The domain to use for session cookies. Set this to a string such as
|
||||||
SESSION_COOKIE_HTTPONLY
|
SESSION_COOKIE_HTTPONLY
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
Default: ``False``
|
Default: ``True``
|
||||||
|
|
||||||
Whether to use HTTPOnly flag on the session cookie. If this is set to
|
Whether to use HTTPOnly flag on the session cookie. If this is set to
|
||||||
``True``, client-side JavaScript will not to be able to access the
|
``True``, client-side JavaScript will not to be able to access the
|
||||||
|
|
Loading…
Reference in New Issue