From 456d4db251ac8b04f10d7f09eb711f5cc9a73e8d Mon Sep 17 00:00:00 2001 From: Claude Paroz Date: Sun, 1 Apr 2012 17:17:21 +0000 Subject: [PATCH] [1.4.X] Fixed #18045 -- Corrected the documented default value of SESSION_COOKIE_HTTPONLY setting. Missing bit of r17135. Backport of r17862 from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.4.X@17863 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/ref/settings.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index c06ef1ad3f..1dabdaeb10 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -1711,7 +1711,7 @@ domain cookie. See the :doc:`/topics/http/sessions`. SESSION_COOKIE_HTTPONLY ----------------------- -Default: ``False`` +Default: ``True`` Whether to use HTTPOnly flag on the session cookie. If this is set to ``True``, client-side JavaScript will not to be able to access the @@ -1725,6 +1725,9 @@ protected cookie data. .. _HTTPOnly: http://www.owasp.org/index.php/HTTPOnly +.. versionchanged:: 1.4 + The default value of the setting was changed from ``False`` to ``True``. + .. setting:: SESSION_COOKIE_NAME SESSION_COOKIE_NAME