Code

Opened 3 years ago

Closed 3 years ago

#15060 closed (worksforme)

csrftoken cookie not being sent over SSL

Reported by: burhan Owned by: nobody
Component: Core (Other) Version: 1.2
Severity: Keywords: csrf ssl https
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

SESSION_COOKIE_SECURE setting is not being used for the csrftoken, causing it to be sent over HTTP. I believe this is the reason why I keep getting 'Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.' errors when trying to login on the django admin.

Test environment:

glassfishv3
jython 2.5.2.rc2
django-jython 1.1.2 (against Oracle backend)
django 1.2.3
Windows

Note: no other servers are being used, glassfish is exclusively for django use (so no PHP mhash problems).

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by lukeplant

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to worksforme
  • Status changed from new to closed

SESSION_COOKIE_SECURE should not be used for CSRF cookies, since there is no link between CSRF and sessions.

We do need a CSRF_COOKIE_SECURE setting, but that is covered by #14134, and the lack of this setting should not stop the cookie being sent over SSL. If your problem was the CSRF cookie, I'm pretty sure you wouldn't see the error you are reporting.

In fact, I use Django on an HTTPS site, and it works fine for me. It has worked both when I used had both HTTP/HTTPS enabled, and when I switched to HTTPS only and SESSION_COOKIE_SECURE = True.

I'll treat this bug according to the title ("csrftoken cookie not being sent over SSL"), rather than the other details, and mark as WORKSFORME accordingly. Please re-open if you can provide more details that would allow us to reproduce the problem, or a analysis that shows why this would happen.

Thanks!

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.