#30314 closed Cleanup/optimization (wontfix)
Enable SESSION_COOKIE_SECURE by Default
| Reported by: | nstr10 | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 2.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session."
If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me.
Change History (2)
comment:1 by , 5 years ago
| Component: | Uncategorized → contrib.sessions |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
| Version: | 2.1 → 2.2 |
comment:2 by , 5 years ago
| Easy pickings: | unset |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
| Triage Stage: | Accepted → Unreviewed |
As per input on the mailing list, adjusting the default here would cause issues logging in when using the development server.
The system check framework will raise a warning here when running with the --deploy flag.
Version 0, edited 5 years ago by (next)
Note:
See TracTickets
for help on using tickets.
OK, seems reasonable, yes.
Will need a note as a breaking changing in the 3.0 release notes.
I've asked on the mailing list if there are any reasons not to do this.