HTTP-Only cookies reminder

[Laurent]

I just discovered that since last summer HTTP-Only cookies are available in Cherrypy.

I personally use a custom session tool that use a session_id client-side. This session_id can easily be read by some javascript code, thus stolen with html/javascript code injection.

So if you want to prevent your session cookies to be read by a malicious client-side script you have to use HTTP-Only cookies: these kind of cookies can only be read by the server, not by the client (most browsers support that feature now). 

To use HTTP-Only cookies with Cherrypy sessions just add the following line in your configuration file:

tools.sessions.httponly = True

If you use SLL you can also make your cookies secure (encrypted) to avoid "man in the middle" cookies reading with:

tools.sessions.secure = True

You might already knew this stuff but in case you didn't I guess it was worth mentioning, as these lines never appear in documentation examples.

Laurent.