messages cookie should follow session cookie secure/httponly
|Reported by:||erikr||Owned by:||erikr|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The cookie created by the CookieStorage backend for django.contrib.messages follows the domain for sessions, from the SESSION_COOKIE_DOMAIN, but not the secure and httponly settings, from SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.
The information in the messages can be very sensitive, like "Patient John Doe succesfully saved", so I do feel strongly we have to fix this. It's probably best to follow the secure/httponly settings for sessions. In the default configuration, cookies will be used for all short messages <2048 bytes, so this is very common.
As a sidenote, the SESSION_COOKIE_DOMAIN setting documentation does not mention this is also used for messages. This should probably be added - along with a note in the secure and httponly sessions, assuming this is the path we follow.