Tag Archives: Coding Horror

HttpOnly cookies in Python & Pylons

Thanks to Jeff Atwood for posting about the benefits of the HttpOnly flag on cookies. Support for HttpOnly cookies has now been added to Python 2.6’s Cookie module, and Paste’s WSGIResponse. Pylons applications can now use the HttpOnly flag to protect cookies, significantly raising the bar against XSS attacks on users of those applications.

Latest versions of Firefox, Opera, and Internet Explorer already support HttpOnly. Now all that’s left is for Apple to fix CFNetwork to support HttpOnly and then WebKit/Safari will be able to support it too.