From e13dc4905330dd2705d5b82420141b2fabab9a29 Mon Sep 17 00:00:00 2001 From: Paul McMillan Date: Tue, 22 Nov 2011 01:05:14 +0000 Subject: [PATCH] Improved release notes about session cookie httponly flag (#16847) per Luke's comments. git-svn-id: http://code.djangoproject.com/svn/django/trunk@17140 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/releases/1.4.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt index 9275ac6ffeb..10cbe3dba9b 100644 --- a/docs/releases/1.4.txt +++ b/docs/releases/1.4.txt @@ -498,9 +498,6 @@ Django 1.4 also includes several smaller improvements worth noting: * Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages` command. -* Changed the default value for ``httponly`` on session cookies to - ``True`` to help reduce the impact of potential XSS attacks. - * Changed the ``locmem`` cache backend to use ``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other cache backends. @@ -948,3 +945,11 @@ Now, the flags are keyword arguments of :meth:`@register.filter return value See :ref:`filters and auto-escaping ` for more information. + +Session cookies now have the ``httponly`` flag by default +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Session cookies now include the ``httponly`` attribute by default to +help reduce the impact of potential XSS attacks. For strict backwards +compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in settings. +