Fixed #17766. Clarified HttpOnly flag on session cookie.

Thanks ptone for the patch!


git-svn-id: http://code.djangoproject.com/svn/django/trunk@17618 bcc190cf-cafb-0310-a4f2-bffc1f526a37

docs/releases/1.4-beta-1.txt

@@ -1112,8 +1112,11 @@ Session cookies now have the ``httponly`` flag by default
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Session cookies now include the ``httponly`` attribute by default to
-help reduce the impact of potential XSS attacks. For strict backwards
+help reduce the impact of potential XSS attacks. As a consequence of
-compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
+this change, session cookie data, including sessionid, is no longer
+accessible from Javascript in many browsers. For strict backwards
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
+settings file.
 
 Wildcard expansion of application names in `INSTALLED_APPS`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

docs/releases/1.4.txt

@@ -998,8 +998,11 @@ Session cookies now have the ``httponly`` flag by default
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Session cookies now include the ``httponly`` attribute by default to
-help reduce the impact of potential XSS attacks. For strict backwards
+help reduce the impact of potential XSS attacks. As a consequence of
-compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your settings file.
+this change, session cookie data, including sessionid, is no longer
+accessible from Javascript in many browsers. For strict backwards
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in your
+settings file.
 
 The :tfilter:`urlize` filter no longer escapes every URL
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~