id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
20972	messages cookie should follow session cookie secure/httponly	Sasha Romijn	Sasha Romijn	"The cookie created by the CookieStorage backend for django.contrib.messages follows the domain for sessions, from the SESSION_COOKIE_DOMAIN, but not the secure and httponly settings, from SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY.

The information in the messages can be very sensitive, like ""Patient John Doe succesfully saved"", so I do feel strongly we have to fix this. It's probably best to follow the secure/httponly settings for sessions. In the default configuration, cookies will be used for all short messages <2048 bytes, so this is very common. 

As a sidenote, the SESSION_COOKIE_DOMAIN setting documentation does not mention this is also used for messages. This should probably be added - along with a note in the secure and httponly sessions, assuming this is the path we follow."	New feature	closed	contrib.messages	dev	Normal	fixed	security	eromijn@…	Unreviewed	1	0	0	0	0	0