Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#30314 closed Cleanup/optimization (wontfix)

Enable SESSION_COOKIE_SECURE by Default

Reported by: nstr10 Owned by: nobody
Component: contrib.sessions Version: 2.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session."

If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me.

Change History (2)

comment:1 Changed 2 years ago by Carlton Gibson

Component: Uncategorizedcontrib.sessions
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization
Version: 2.12.2

OK, seems reasonable, yes.

Will need a note as a breaking changing in the 3.0 release notes.

I've asked on the mailing list if there are any reasons not to do this.

comment:2 Changed 2 years ago by Carlton Gibson

Easy pickings: unset
Resolution: wontfix
Status: newclosed
Triage Stage: AcceptedUnreviewed

As per input on the mailing list, adjusting the default here would cause issues logging in when using the development server.

The system check framework will raise a warning here when running with the --deploy flag.

Version 0, edited 2 years ago by Carlton Gibson (next)
Note: See TracTickets for help on using tickets.
Back to Top