mirror of
				https://github.com/django/django.git
				synced 2025-10-26 07:06:08 +00:00 
			
		
		
		
	Fixed #28741 -- Removed unnecessary leading dot from cross-domain cookie examples.
This commit is contained in:
		| @@ -452,7 +452,7 @@ SESSION_CACHE_ALIAS = 'default' | |||||||
| SESSION_COOKIE_NAME = 'sessionid' | SESSION_COOKIE_NAME = 'sessionid' | ||||||
| # Age of cookie, in seconds (default: 2 weeks). | # Age of cookie, in seconds (default: 2 weeks). | ||||||
| SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 | SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 | ||||||
| # A string like ".example.com", or None for standard domain cookie. | # A string like "example.com", or None for standard domain cookie. | ||||||
| SESSION_COOKIE_DOMAIN = None | SESSION_COOKIE_DOMAIN = None | ||||||
| # Whether the session cookie should be secure (https:// only). | # Whether the session cookie should be secure (https:// only). | ||||||
| SESSION_COOKIE_SECURE = False | SESSION_COOKIE_SECURE = False | ||||||
|   | |||||||
| @@ -752,10 +752,9 @@ Methods | |||||||
|       in UTC. If ``expires`` is a ``datetime`` object, the ``max_age`` |       in UTC. If ``expires`` is a ``datetime`` object, the ``max_age`` | ||||||
|       will be calculated. |       will be calculated. | ||||||
|     * Use ``domain`` if you want to set a cross-domain cookie. For example, |     * Use ``domain`` if you want to set a cross-domain cookie. For example, | ||||||
|       ``domain=".lawrence.com"`` will set a cookie that is readable by |       ``domain="example.com"`` will set a cookie that is readable by the | ||||||
|       the domains www.lawrence.com, blogs.lawrence.com and |       domains www.example.com, blog.example.com, etc. Otherwise, a cookie will | ||||||
|       calendars.lawrence.com. Otherwise, a cookie will only be readable by |       only be readable by the domain that set it. | ||||||
|       the domain that set it. |  | ||||||
|     * Use ``httponly=True`` if you want to prevent client-side |     * Use ``httponly=True`` if you want to prevent client-side | ||||||
|       JavaScript from having access to the cookie. |       JavaScript from having access to the cookie. | ||||||
|  |  | ||||||
|   | |||||||
| @@ -309,7 +309,7 @@ Default: ``None`` | |||||||
| The domain to be used when setting the CSRF cookie.  This can be useful for | The domain to be used when setting the CSRF cookie.  This can be useful for | ||||||
| easily allowing cross-subdomain requests to be excluded from the normal cross | easily allowing cross-subdomain requests to be excluded from the normal cross | ||||||
| site request forgery protection.  It should be set to a string such as | site request forgery protection.  It should be set to a string such as | ||||||
| ``".example.com"`` to allow a POST request from a form on one subdomain to be | ``"example.com"`` to allow a POST request from a form on one subdomain to be | ||||||
| accepted by a view served from another subdomain. | accepted by a view served from another subdomain. | ||||||
|  |  | ||||||
| Please note that the presence of this setting does not imply that Django's CSRF | Please note that the presence of this setting does not imply that Django's CSRF | ||||||
| @@ -1733,8 +1733,8 @@ The age of the language cookie, in seconds. | |||||||
| Default: ``None`` | Default: ``None`` | ||||||
|  |  | ||||||
| The domain to use for the language cookie. Set this to a string such as | The domain to use for the language cookie. Set this to a string such as | ||||||
| ``".example.com"`` (note the leading dot!) for cross-domain cookies, or use | ``"example.com"`` for cross-domain cookies, or use ``None`` for a standard | ||||||
| ``None`` for a standard domain cookie. | domain cookie. | ||||||
|  |  | ||||||
| Be cautious when updating this setting on a production site. If you update | Be cautious when updating this setting on a production site. If you update | ||||||
| this setting to enable cross-domain cookies on a site that previously used | this setting to enable cross-domain cookies on a site that previously used | ||||||
| @@ -2958,8 +2958,8 @@ The age of session cookies, in seconds. | |||||||
| Default: ``None`` | Default: ``None`` | ||||||
|  |  | ||||||
| The domain to use for session cookies. Set this to a string such as | The domain to use for session cookies. Set this to a string such as | ||||||
| ``".example.com"`` (note the leading dot!) for cross-domain cookies, or use | ``"example.com"`` for cross-domain cookies, or use ``None`` for a standard | ||||||
| ``None`` for a standard domain cookie. | domain cookie. | ||||||
|  |  | ||||||
| Be cautious when updating this setting on a production site. If you update | Be cautious when updating this setting on a production site. If you update | ||||||
| this setting to enable cross-domain cookies on a site that previously used | this setting to enable cross-domain cookies on a site that previously used | ||||||
|   | |||||||
| @@ -653,7 +653,7 @@ you'll be logged in as the attacker and might inadvertently enter your | |||||||
| sensitive personal data (e.g. credit card info) into the attackers account. | sensitive personal data (e.g. credit card info) into the attackers account. | ||||||
|  |  | ||||||
| Another possible attack would be if ``good.example.com`` sets its | Another possible attack would be if ``good.example.com`` sets its | ||||||
| :setting:`SESSION_COOKIE_DOMAIN` to ``".example.com"`` which would cause | :setting:`SESSION_COOKIE_DOMAIN` to ``"example.com"`` which would cause | ||||||
| session cookies from that site to be sent to ``bad.example.com``. | session cookies from that site to be sent to ``bad.example.com``. | ||||||
|  |  | ||||||
| Technical details | Technical details | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user