Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#31260 closed Cleanup/optimization (wontfix)

Enable cookie security if HTTPS is explicity indicated in settings.

Reported by: Adam Yala Owned by: nobody
Component: Core (Other) Version: 3.0
Severity: Normal Keywords: ssl https cookie settings
Cc: Adam Johnson Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Per this conversation
https://forum.djangoproject.com/t/why-are-cookie-secure-settings-defaulted-to-false/
on forum.djangoproject.com with Adam Johnson, the goal of this ticket is to help improve Django's default security.

By default, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE are set to False.

The purpose of this ticket is to set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True if either SECURE_SSL_REDIRECT or SECURE_HSTS_SECONDS is enabled.

Change History (5)

comment:1 by Mariusz Felisiak, 5 years ago

Resolution: wontfix
Status: newclosed
Summary: Enable cookie security if HTTPS is explicity indicated in settingsEnable cookie security if HTTPS is explicity indicated in settings.

Thanks for this ticket, however I'm not in favor of internal rules which change settings implicitly. It can be confusing and sometimes unexpected. You can start a discussion on DevelopersMailingList if you don't agree. We can reopen this ticket after getting a strong consensus.

comment:2 by Adam Johnson, 5 years ago

Cc: Adam Johnson added

A cleaner alternative I thought of would be to introduce the new value None as the defaults for these settings, which could mean the secure flag is set on the cookies if request.is_secure(). The only potential breakage is for sites that are served on HTTP and HTTPS, which is something of a misconfiguration these days.

comment:3 by Adam Johnson, 5 years ago

Resolution: wontfix
Status: closednew

comment:4 by Mariusz Felisiak, 5 years ago

Resolution: wontfix
Status: newclosed

comment:5 by Adam Johnson, 5 years ago

Sorry 🙈

Note: See TracTickets for help on using tickets.
Back to Top