Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#30314 closed Cleanup/optimization (wontfix)

Enable SESSION_COOKIE_SECURE by Default

Reported by: nstr10 Owned by: nobody
Component: contrib.sessions Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session."

If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me.

Change History (2)

comment:1 Changed 2 years ago by Carlton Gibson

Component: Uncategorizedcontrib.sessions
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: 2.12.2

OK, seems reasonable, yes.

Will need a note as a breaking changing in the 3.0 release notes.

I've asked on the mailing list if there are any reasons not to do this.

comment:2 Changed 2 years ago by Carlton Gibson

Easy pickings: unset
Resolution: wontfix
Status: newclosed
Triage Stage: AcceptedUnreviewed

As per input on the mailing list, adjusting the default here would cause issues logging in when using the development server. (This is likely to cause more trouble than it saves.)

The system check framework will raise a warning here when running with the --deploy flag.

Last edited 2 years ago by Carlton Gibson (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top