This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author jdufresne
Recipients jdufresne
Date 2015-01-16.14:25:00
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>

Relevant section:


5.2.6. The HttpOnly Attribute

If the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value.


If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.


http.cookies creates this attribute as `httponly` not `HttpOnly`.

It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style.

(Same applies to the Secure flag.)
Date User Action Args
2015-01-16 14:25:00jdufresnesetrecipients: + jdufresne
2015-01-16 14:25:00jdufresnesetmessageid: <>
2015-01-16 14:25:00jdufresnelinkissue23250 messages
2015-01-16 14:25:00jdufresnecreate