Opened 11 years ago
Closed 11 years ago
#20972 closed New feature (fixed)
messages cookie should follow session cookie secure/httponly
Reported by: | Sasha Romijn | Owned by: | Sasha Romijn |
---|---|---|---|
Component: | contrib.messages | Version: | dev |
Severity: | Normal | Keywords: | security |
Cc: | eromijn@… | Triage Stage: | Unreviewed |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The cookie created by the CookieStorage backend for django.contrib.messages follows the domain for sessions, from the SESSION_COOKIE_DOMAIN, but not the secure and httponly settings, from SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.
The information in the messages can be very sensitive, like "Patient John Doe succesfully saved", so I do feel strongly we have to fix this. It's probably best to follow the secure/httponly settings for sessions. In the default configuration, cookies will be used for all short messages <2048 bytes, so this is very common.
As a sidenote, the SESSION_COOKIE_DOMAIN setting documentation does not mention this is also used for messages. This should probably be added - along with a note in the secure and httponly sessions, assuming this is the path we follow.
Change History (3)
comment:1 by , 11 years ago
Cc: | added |
---|
comment:2 by , 11 years ago
Has patch: | set |
---|
comment:3 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
PR created: https://github.com/django/django/pull/1515
As a sidenote, anyone concerned about this issue can also avoid it by setting:
MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.SessionStorage'
This will prevent django.contrib.messages from storing messages in cookies at any time, thereby avoiding the issue of any cookie settings, at the cost of a (probably very minor) performance hit.