Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#30314 closed Cleanup/optimization (wontfix)


Reported by: nstr10 Owned by: nobody
Component: contrib.sessions Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session."

If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me.

Change History (2)

comment:1 by Carlton Gibson, 5 years ago

Component: Uncategorizedcontrib.sessions
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: 2.12.2

OK, seems reasonable, yes.

Will need a note as a breaking changing in the 3.0 release notes.

I've asked on the mailing list if there are any reasons not to do this.

comment:2 by Carlton Gibson, 5 years ago

Easy pickings: unset
Resolution: wontfix
Status: newclosed
Triage Stage: AcceptedUnreviewed

As per input on the mailing list, adjusting the default here would cause issues logging in when using the development server. (This is likely to cause more trouble than it saves.)

The system check framework will raise a warning here when running with the --deploy flag.

Last edited 5 years ago by Carlton Gibson (previous) (diff)
Note: See TracTickets for help on using tickets.
Back to Top