[Django] #31260: Enable cookie security if HTTPS is explicity indicated in settings

[Django]

#31260: Enable cookie security if HTTPS is explicity indicated in settings
-------------------------------------+-------------------------------------
Reporter: adamyala | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Core | Version: 3.0
(Other) | Keywords: ssl https cookie
Severity: Normal | settings
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Per this conversation
https://forum.djangoproject.com/t/why-are-cookie-secure-settings-
defaulted-to-false/
on forum.djangoproject.com with Adam Johnson, the goal of this ticket is
to help improve Django's default security.

By default, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE are set to False.

The purpose of this ticket is to set SESSION_COOKIE_SECURE and
CSRF_COOKIE_SECURE to True if either SECURE_SSL_REDIRECT or
SECURE_HSTS_SECONDS is enabled.

--
Ticket URL: <https://code.djangoproject.com/ticket/31260>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#31260: Enable cookie security if HTTPS is explicity indicated in settings.
-------------------------------------+-------------------------------------
Reporter: Adam Yala | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Core (Other) | Version: 3.0
Severity: Normal | Resolution: wontfix
Keywords: ssl https cookie | Triage Stage:
settings | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by felixxm):

* status: new => closed
* resolution: => wontfix

Comment:

Thanks for this ticket, however I'm not in favor of internal rules which
change settings implicitly. It can be confusing and sometimes unexpected.
You can start a discussion on DevelopersMailingList if you don't agree. We
can reopen this ticket after getting a strong consensus.

--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:1>

[Django]

#31260: Enable cookie security if HTTPS is explicity indicated in settings.
-------------------------------------+-------------------------------------
Reporter: Adam Yala | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Core (Other) | Version: 3.0
Severity: Normal | Resolution: wontfix
Keywords: ssl https cookie | Triage Stage:
settings | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Adam (Chainz) Johnson):

* cc: Adam (Chainz) Johnson (added)

Comment:

A cleaner alternative I thought of would be to introduce the new value
`None` as the defaults for these settings, which could mean the secure
flag is set on the cookies if `request.is_secure()`. The only potential
breakage is for sites that are served on HTTP and HTTPS, which is
something of a misconfiguration these days.

--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:2>

[Django]

#31260: Enable cookie security if HTTPS is explicity indicated in settings.
-------------------------------------+-------------------------------------

Reporter: Adam Yala | Owner: nobody
Type: | Status: new
Cleanup/optimization |

Component: Core (Other) | Version: 3.0
Severity: Normal | Resolution:

Keywords: ssl https cookie | Triage Stage:
settings | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Adam (Chainz) Johnson):

* status: closed => new
* resolution: wontfix =>

--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:3>

[Django]

#31260: Enable cookie security if HTTPS is explicity indicated in settings.
-------------------------------------+-------------------------------------
Reporter: Adam Yala | Owner: nobody

Type: | Status: closed

Cleanup/optimization |
Component: Core (Other) | Version: 3.0

Severity: Normal | Resolution: wontfix

Keywords: ssl https cookie | Triage Stage:
settings | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by felixxm):

* status: new => closed
* resolution: => wontfix

Comment:

[https://docs.djangoproject.com/en/stable/internals/contributing/triaging-
tickets/#closing-tickets Please follow triaging guidelines with regards to
wontfix tickets.]

--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:4>

[Django]

#31260: Enable cookie security if HTTPS is explicity indicated in settings.
-------------------------------------+-------------------------------------
Reporter: Adam Yala | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: Core (Other) | Version: 3.0
Severity: Normal | Resolution: wontfix
Keywords: ssl https cookie | Triage Stage:
settings | Unreviewed

Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Adam (Chainz) Johnson):

Sorry 🙈

--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:5>