id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24511	New feature: Make the session cookie secure if and only if request.is_secure()	Antonis Christofides	nobody	"Usually I require logged on users to use {{{https}}}. In that case, I specify {{{SESSION_COOKIE_SECURE = True}}}. This, however, makes it impossible to use anonymous sessions over {{{http}}}.

Examples: I have used sessions to store the sort order of a table, and to store the user's preferred language (I know language is also a browser setting, but sometimes it's not enough). These need to be available in anonymous sessions as well.

Sometimes what I do is run two instances of Django, with different {{{settings.py}}}; one has {{{SESSION_COOKIE_SECURE = True}}}, the other {{{False}}}; and I configure the web server to use the first one for {{{https}}} and the other one for {{{http}}}. But I think this is overkill when Django could simply look at {{{request.is_secure()}}} and decide accordingly.

I may write a patch about that, but first I wanted to know whether I'm understanding something wrong."	Uncategorized	closed	Uncategorized	1.7	Normal	wontfix			Unreviewed	0	0	0	0	0	0