Opened 5 years ago

Closed 5 years ago

#20972 closed New feature (fixed)

messages cookie should follow session cookie secure/httponly

Reported by: Sasha Romijn Owned by: Sasha Romijn
Component: contrib.messages Version: master
Severity: Normal Keywords: security
Cc: eromijn@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The cookie created by the CookieStorage backend for django.contrib.messages follows the domain for sessions, from the SESSION_COOKIE_DOMAIN, but not the secure and httponly settings, from SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.

The information in the messages can be very sensitive, like "Patient John Doe succesfully saved", so I do feel strongly we have to fix this. It's probably best to follow the secure/httponly settings for sessions. In the default configuration, cookies will be used for all short messages <2048 bytes, so this is very common.

As a sidenote, the SESSION_COOKIE_DOMAIN setting documentation does not mention this is also used for messages. This should probably be added - along with a note in the secure and httponly sessions, assuming this is the path we follow.

Change History (3)

comment:1 Changed 5 years ago by Sasha Romijn

Cc: eromijn@… added

comment:2 Changed 5 years ago by Sasha Romijn

Has patch: set

PR created:

As a sidenote, anyone concerned about this issue can also avoid it by setting:
This will prevent django.contrib.messages from storing messages in cookies at any time, thereby avoiding the issue of any cookie settings, at the cost of a (probably very minor) performance hit.

comment:3 Changed 5 years ago by Erik Romijn <erik@…>

Resolution: fixed
Status: newclosed

In fa572666998bf5dc70d15ec9386d5d3692b264f2:

Fixed #20972 -- Make messages cookie follow session cookie secure/httponly

Note: See TracTickets for help on using tickets.
Back to Top