web: More cookie doc updates.

tornadoweb · Feb 1, 2023 · 7c03790 · 7c03790
1 parent 6c37366
commit 7c03790
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/docs/guide/security.rst b/docs/guide/security.rst
@@ -338,6 +338,13 @@ for authentication, provides protection against XSRF attacks that is
 equivalent to Tornado's ``xsrf_cookies`` feature, so that feature is now
 deprecated.
 
+You may wish to continue using ``xsrf_cookies`` in some situations:
+
+* If your application may perform side effects in response to HTTP GET
+  requests, but cannot use ``samesite="strict"``.
+* If your authentication is based on something other than cookies, such
+  as TLS certificates or network addresses.
+
 If you have an application that uses Tornado's ``xsrf_cookies`` feature
 and you want to migrate to the ``samesite`` cookie attribute, follow these
 steps:

diff --git a/tornado/web.py b/tornado/web.py
@@ -745,6 +745,15 @@ def set_signed_cookie(
         Similar to `set_cookie`, the effect of this method will not be
         seen until the following request.
 
+        Consider setting additional attributes whenever you set a signed
+        cookie:
+        * Use the ``samesite="lax"`` (or ``"strict"``) attribute on any
+          cookie used for authentication to protect against XSRF attacks.
+        * Use the ``secure=True`` attribute if your application is
+          only available over HTTPS.
+        * Use the ``httponly=True`` attribute unless you need this cookie
+          to be readable from javascript.
+
         .. versionchanged:: 3.2.1
 
            Added the ``version`` argument.  Introduced cookie version 2