#30314 closed Cleanup/optimization (wontfix)
Enable SESSION_COOKIE_SECURE by Default
| Reported by: | nstr10 | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.sessions | Version: | 2.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session."
If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me.
Change History (2)
comment:1 by , 6 years ago
| Component: | Uncategorized → contrib.sessions |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
| Type: | Uncategorized → Cleanup/optimization |
| Version: | 2.1 → 2.2 |
comment:2 by , 6 years ago
| Easy pickings: | unset |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
| Triage Stage: | Accepted → Unreviewed |
As per input on the mailing list, adjusting the default here would cause issues logging in when using the development server. (This is likely to cause more trouble than it saves.)
The system check framework will raise a warning here when running with the --deploy flag.
Note:
See TracTickets
for help on using tickets.
OK, seems reasonable, yes.
Will need a note as a breaking changing in the 3.0 release notes.
I've asked on the mailing list if there are any reasons not to do this.