Add HTTP-only Cookie Support in Django


Certain web applications face the risk of cross-site scripting vulnerabilities. Although this is the fault of the web applications and can always be avoided by correct programming an extra security mechanism can never hurt.

That is the reason Microsoft introduced HTTP-only Cookies in Internet Explorer 6 SP1. Firefox added support in Gran Paradiso Alpha 3.

I wanted to use this feature with my favourite web framework Django. Unfortunately it is as of this writing not available.


Since Python lacks support for HTTP-only cookies two patches are needed, one for Python and one for Django.


Surely I made enhancement requests for Python and Django but so far the patches have not been integrated.


Last modified 31st December 2007 Copyright (©) 2007 by Arvin Schnell

Valid XHTML and CSS