Opened 14 years ago
Closed 14 years ago
#14134 closed New feature (fixed)
Ability to set csrf cookie path and https-only plus add 'secure'
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Core (Other) | Version: | 1.2 |
Severity: | Normal | Keywords: | csrf |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | yes |
Needs tests: | yes | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
This is useful if you have multiple Django instances running under the same hostname. The csrf cookies can use different cookie paths, and each instance will only see
its own csrf cookie. That text is taken almost directly from the SESSION_COOKIE_PATH documentation, it would be nice if csrf cookies worked the same way.
Attachments (1)
Change History (7)
by , 14 years ago
Attachment: | patch.diff added |
---|
comment:1 by , 14 years ago
Component: | Uncategorized → Core framework |
---|---|
Needs documentation: | set |
Triage Stage: | Unreviewed → Design decision needed |
follow-up: 3 comment:2 by , 14 years ago
Patch needs improvement: | set |
---|---|
Summary: | Ability to set csrf cookie path → Ability to set csrf cookie path and https-only |
Triage Stage: | Design decision needed → Accepted |
Absolutely required. We also need CSRF_COOKIE_SECURE
. Changing title to reflect that and make this ticket about getting the missing pieces of the CSRF cookie config in place (just needs the "secure" option added).
comment:3 by , 14 years ago
Needs tests: | set |
---|---|
Summary: | Ability to set csrf cookie path and https-only → Ability to set csrf cookie path and https-only plus add 'secure' |
Replying to mtredinnick:
Absolutely required. We also need
CSRF_COOKIE_SECURE
. Changing title to reflect that and make this ticket about getting the missing pieces of the CSRF cookie config in place (just needs the "secure" option added).
I have modified my local copy of Django to add the CSRF_COOKIE_SECURE feature.
Simply added in settings.py:
CSRF_COOKIE_SECURE = True
And in django/middleware/csrf.py
# Set the CSRF cookie even if it's already set, so we renew the expiry timer. response.set_cookie(settings.CSRF_COOKIE_NAME, request.META["CSRF_COOKIE"], max_age = 60 * 60 * 24 * 7 * 52, domain=settings.CSRF_COOKIE_DOMAIN,secure=settings.CSRF_COOKIE_SECURE)
Not much to it really and now my cookies are set as secure just like the Session cookie
comment:4 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → New feature |
add CSRF_COOKIE_PATH option to settings.py