Enable cookie security if HTTPS is explicity indicated in settings.

[Adam Yala]

Per this conversation
​https://forum.djangoproject.com/t/why-are-cookie-secure-settings-defaulted-to-false/
on forum.djangoproject.com with Adam Johnson, the goal of this ticket is to help improve Django's default security.

By default, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE are set to False.

The purpose of this ticket is to set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True if either SECURE_SSL_REDIRECT or SECURE_HSTS_SECONDS is enabled.

[Mariusz Felisiak]

Thanks for this ticket, however I'm not in favor of internal rules which change settings implicitly. It can be confusing and sometimes unexpected. You can start a discussion on DevelopersMailingList if you don't agree. We can reopen this ticket after getting a strong consensus.

[Adam Johnson]

A cleaner alternative I thought of would be to introduce the new value None as the defaults for these settings, which could mean the secure flag is set on the cookies if request.is_secure(). The only potential breakage is for sites that are served on HTTP and HTTPS, which is something of a misconfiguration these days.

[Mariusz Felisiak]

​Please follow triaging guidelines with regards to wontfix tickets.

[Adam Johnson]

Sorry 🙈