Opened 13 years ago
Closed 13 years ago
#15060 closed (worksforme)
csrftoken cookie not being sent over SSL
| Reported by: | Burhan Khalid | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Other) | Version: | 1.2 |
| Severity: | Keywords: | csrf ssl https | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
SESSION_COOKIE_SECURE setting is not being used for the csrftoken, causing it to be sent over HTTP. I believe this is the reason why I keep getting 'Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.' errors when trying to login on the django admin.
Test environment:
glassfishv3
jython 2.5.2.rc2
django-jython 1.1.2 (against Oracle backend)
django 1.2.3
Windows
Note: no other servers are being used, glassfish is exclusively for django use (so no PHP mhash problems).
Note:
See TracTickets
for help on using tickets.
SESSION_COOKIE_SECURE should not be used for CSRF cookies, since there is no link between CSRF and sessions.
We do need a CSRF_COOKIE_SECURE setting, but that is covered by #14134, and the lack of this setting should not stop the cookie being sent over SSL. If your problem was the CSRF cookie, I'm pretty sure you wouldn't see the error you are reporting.
In fact, I use Django on an HTTPS site, and it works fine for me. It has worked both when I used had both HTTP/HTTPS enabled, and when I switched to HTTPS only and
SESSION_COOKIE_SECURE = True.I'll treat this bug according to the title ("csrftoken cookie not being sent over SSL"), rather than the other details, and mark as WORKSFORME accordingly. Please re-open if you can provide more details that would allow us to reproduce the problem, or a analysis that shows why this would happen.
Thanks!