Code

#20972 closed New feature (fixed)

messages cookie should follow session cookie secure/httponly

Reported by: erikr Owned by: erikr
Component: contrib.messages Version: master
Severity: Normal Keywords: security
Cc: eromijn@… Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The cookie created by the CookieStorage backend for django.contrib.messages follows the domain for sessions, from the SESSION_COOKIE_DOMAIN, but not the secure and httponly settings, from SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.

The information in the messages can be very sensitive, like "Patient John Doe succesfully saved", so I do feel strongly we have to fix this. It's probably best to follow the secure/httponly settings for sessions. In the default configuration, cookies will be used for all short messages <2048 bytes, so this is very common.

As a sidenote, the SESSION_COOKIE_DOMAIN setting documentation does not mention this is also used for messages. This should probably be added - along with a note in the secure and httponly sessions, assuming this is the path we follow.

Attachments (0)

Change History (3)

comment:1 Changed 11 months ago by erikr

  • Cc eromijn@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 11 months ago by erikr

  • Has patch set

PR created: https://github.com/django/django/pull/1515

As a sidenote, anyone concerned about this issue can also avoid it by setting:
MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.SessionStorage'
This will prevent django.contrib.messages from storing messages in cookies at any time, thereby avoiding the issue of any cookie settings, at the cost of a (probably very minor) performance hit.

comment:3 Changed 11 months ago by Erik Romijn <erik@…>

  • Resolution set to fixed
  • Status changed from new to closed

In fa572666998bf5dc70d15ec9386d5d3692b264f2:

Fixed #20972 -- Make messages cookie follow session cookie secure/httponly

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.