Index: django/http/__init__.py
===================================================================
--- django/http/__init__.py (revision 4325)
+++ django/http/__init__.py (working copy)
@@ -196,9 +196,9 @@
return True
return False
- def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None):
+ def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=None):
self.cookies[key] = value
- for var in ('max_age', 'path', 'domain', 'secure', 'expires'):
+ for var in ('max_age', 'path', 'domain', 'secure', 'expires', 'httponly'):
val = locals()[var]
if val is not None:
self.cookies[key][var.replace('_', '-')] = val
Index: django/conf/global_settings.py
===================================================================
--- django/conf/global_settings.py (revision 4325)
+++ django/conf/global_settings.py (working copy)
@@ -257,6 +257,7 @@
SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks).
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
+SESSION_COOKIE_HTTPONLY = False # Whether the session cookie should be httponly.
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether sessions expire when a user closes his browser.
Index: django/contrib/sessions/middleware.py
===================================================================
--- django/contrib/sessions/middleware.py (revision 4325)
+++ django/contrib/sessions/middleware.py (working copy)
@@ -89,5 +89,6 @@
datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,
max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
- secure=settings.SESSION_COOKIE_SECURE or None)
+ secure=settings.SESSION_COOKIE_SECURE or None,
+ httponly=settings.SESSION_COOKIE_HTTPONLY or None)
return response