Ticket #3304: django.diff

django/http/__init__.py

@@ -196 +196 @@
                 return True
         return False
 
-    def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None):
+    def set_cookie(self, key, value='', max_age=None, expires=None, path='/', domain=None, secure=None, httponly=None):
         self.cookies[key] = value
-        for var in ('max_age', 'path', 'domain', 'secure', 'expires'):
+        for var in ('max_age', 'path', 'domain', 'secure', 'expires', 'httponly'):
             val = locals()[var]
             if val is not None:
                 self.cookies[key][var.replace('_', '-')] = val

django/conf/global_settings.py

@@ -257 +257 @@
 SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks).
 SESSION_COOKIE_DOMAIN = None              # A string like ".lawrence.com", or None for standard domain cookie.
 SESSION_COOKIE_SECURE = False             # Whether the session cookie should be secure (https:// only).
+SESSION_COOKIE_HTTPONLY = False           # Whether the session cookie should be httponly.
 SESSION_SAVE_EVERY_REQUEST = False        # Whether to save the session data on every request.
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False   # Whether sessions expire when a user closes his browser.
 

django/contrib/sessions/middleware.py

@@ -89 +89 @@
                     datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
                 response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,
                     max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
-                    secure=settings.SESSION_COOKIE_SECURE or None)
+                    secure=settings.SESSION_COOKIE_SECURE or None,
+                    httponly=settings.SESSION_COOKIE_HTTPONLY or None)
         return response