[Django] #23149: Confusing documentation on HTTPOnly with cookie backed sessions
Django
--------------------------------------+--------------------
Reporter: erikr | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.sessions | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+--------------------
Our
[[https://github.com/django/django/blob/master/docs/topics/http/sessions.txt#L126|documentation
on cookie backed sessions]] says:
{{{
It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY`
setting
``True`` to prevent tampering of the stored data from JavaScript.
}}}
This appears to imply that if you set `SESSION_COOKIE_HTTPONLY` to False,
it is possible to tamper with the stored data. However, tampering is
prevented not by HTTPONLY, but by the signature on the cookie, based on
the secret key. Although disabling HTTPONLY would allow tampering from
javascript, that tampering would still be immediately evident on the
server side.
I propose changing this to:
{{{
It's recommended to leave the :setting:`SESSION_COOKIE_HTTPONLY`
setting
``True`` to prevent access to the stored data from JavaScript.
}}}
It's rather trivial, but as this is security documentation, I think it
should still have a second pair of eyes.
--
Ticket URL: <https://code.djangoproject.com/ticket/23149>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: erikr | Owner: nobody
Type: | Status: new
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution:
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by bmispelon):
* needs_better_patch: => 0
* needs_docs: => 0
* needs_tests: => 0
* stage: Unreviewed => Ready for checkin
Comment:
It makes sense to me.
Note that there seem to be a word missing from the sentence in the first
place: "it's recommended to leave the SESSION_COOKIE_HTTPONLY setting
**to** True".
--
Ticket URL: <https://code.djangoproject.com/ticket/23149#comment:1>
Django
Reporter: erikr | Owner: nobody
Type: | Status: closed
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Erik Romijn <eromijn@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"e26366da44bb343e7a95d01ff0dd18b8026c2802"]:
{{{
#!CommitTicketReference repository=""
revision="e26366da44bb343e7a95d01ff0dd18b8026c2802"
Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session docs
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23149#comment:2>
Django
Reporter: erikr | Owner: nobody
Type: | Status: closed
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Erik Romijn <eromijn@…>):
In [changeset:"a4eb5909588eb8be7e906206750d1b90c02ec4d1"]:
{{{
#!CommitTicketReference repository=""
revision="a4eb5909588eb8be7e906206750d1b90c02ec4d1"
[1.7.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session
docs
Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23149#comment:3>
Django
Reporter: erikr | Owner: nobody
Type: | Status: closed
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Erik Romijn <eromijn@…>):
In [changeset:"316178efe6308378f2b812f96a35f378c5003c08"]:
{{{
#!CommitTicketReference repository=""
revision="316178efe6308378f2b812f96a35f378c5003c08"
[1.6.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session
docs
Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23149#comment:4>
Django
Reporter: erikr | Owner: nobody
Type: | Status: closed
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Erik Romijn <eromijn@…>):
In [changeset:"12ac0bb91bd2c18c06409e88b025f42cfe1ef555"]:
{{{
#!CommitTicketReference repository=""
revision="12ac0bb91bd2c18c06409e88b025f42cfe1ef555"
[1.5.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session
docs
Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23149#comment:5>
Django
Reporter: erikr | Owner: nobody
Type: | Status: closed
Cleanup/optimization | Version: master
Component: contrib.sessions | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Erik Romijn <eromijn@…>):
In [changeset:"bc03817b42900c24643aaa086cbbf41d96c08dde"]:
{{{
#!CommitTicketReference repository=""
revision="bc03817b42900c24643aaa086cbbf41d96c08dde"
[1.4.x] Fixed #23149 -- Clarified note on HTTPOnly in cookie-based session
docs
Backport of e26366da44bb343e7a95d01ff0dd18b8026c2802 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/23149#comment:6>