Opened 7 years ago

Closed 7 years ago

#15060 closed (worksforme)

csrftoken cookie not being sent over SSL

Reported by: Burhan Khalid Owned by: nobody
Component: Core (Other) Version: 1.2
Severity: Keywords: csrf ssl https
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


SESSION_COOKIE_SECURE setting is not being used for the csrftoken, causing it to be sent over HTTP. I believe this is the reason why I keep getting 'Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again.' errors when trying to login on the django admin.

Test environment:

jython 2.5.2.rc2
django-jython 1.1.2 (against Oracle backend)
django 1.2.3

Note: no other servers are being used, glassfish is exclusively for django use (so no PHP mhash problems).

Change History (1)

comment:1 Changed 7 years ago by Luke Plant

Resolution: worksforme
Status: newclosed

SESSION_COOKIE_SECURE should not be used for CSRF cookies, since there is no link between CSRF and sessions.

We do need a CSRF_COOKIE_SECURE setting, but that is covered by #14134, and the lack of this setting should not stop the cookie being sent over SSL. If your problem was the CSRF cookie, I'm pretty sure you wouldn't see the error you are reporting.

In fact, I use Django on an HTTPS site, and it works fine for me. It has worked both when I used had both HTTP/HTTPS enabled, and when I switched to HTTPS only and SESSION_COOKIE_SECURE = True.

I'll treat this bug according to the title ("csrftoken cookie not being sent over SSL"), rather than the other details, and mark as WORKSFORME accordingly. Please re-open if you can provide more details that would allow us to reproduce the problem, or a analysis that shows why this would happen.


Note: See TracTickets for help on using tickets.
Back to Top