Set HTTP-Only on our session cookie; bug 564278

2011-05-05 22:03:12 -07:00 · 2011-05-05 22:03:12 -07:00 · b1fe2c5e3c
--- a/settings.py
+++ b/settings.py
@ -664,6 +664,7 @@ SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_COOKIE_AGE = 1209600
 SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_DOMAIN = ".%s" % DOMAIN  # bug 608797
 MESSAGE_STORAGE = 'django.contrib.messages.storage.session.SessionStorage'