id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30314	Enable SESSION_COOKIE_SECURE by Default	nstr10	nobody	"Per the documentation, ""Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session.""

If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me."	Cleanup/optimization	closed	contrib.sessions	2.2	Normal	wontfix			Unreviewed	0	0	0	0	0	0