Use commonware.response.cookies to enable secure and httponly cookies…

… by default. Closes Issue 3.
raliste · Jan 22, 2011 · b476dd2 · b476dd2
1 parent 84b3cbf
commit b476dd2
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/docs/bestpractices.rst b/docs/bestpractices.rst
@@ -55,4 +55,21 @@ following works as expected::
 
 Mmmmh, Cookies
 --------------
-Om nom nom. Also: Issue 3.
+
+Django's default way of setting a cookie is set_cookie_ on the HTTP response.
+Unfortunately, both **secure** cookies (i.e., HTTPS-only) and **httponly**
+(i.e., cookies not readable by JavaScript, if the browser supports it) are
+disabled by default.
+
+To be secure by default, we use commonware's ``cookies`` app. It makes secure
+and httponly cookies the default, unless specifically requested otherwise.
+
+To disable either of these patches, set ``COOKIES_SECURE = False`` or
+``COOKIES_HTTPONLY = False`` in ``settings.py``.
+
+You can exempt every cookie by passing ``secure=False`` or ``httponly=False``
+to the ``set_cookie`` call, respectively::
+
+    response.set_cookie('hello', value='world', secure=False, httponly=False)
+
+.. _set_cookie: http://docs.djangoproject.com/en/dev/ref/request-response/#django.http.HttpResponse.set_cookie
diff --git a/settings.py b/settings.py
@@ -158,6 +158,7 @@ def JINJA_CONFIG():
     ROOT_PACKAGE,
 
     # Third-party apps
+    'commonware.response.cookies',
     'djcelery',
     'django_nose',
 

diff --git a/vendor b/vendor