By default, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE are set to False.
The purpose of this ticket is to set SESSION_COOKIE_SECURE and
CSRF_COOKIE_SECURE to True if either SECURE_SSL_REDIRECT or
SECURE_HSTS_SECONDS is enabled.
--
Ticket URL: <https://code.djangoproject.com/ticket/31260>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* status: new => closed
* resolution: => wontfix
Comment:
Thanks for this ticket, however I'm not in favor of internal rules which
change settings implicitly. It can be confusing and sometimes unexpected.
You can start a discussion on DevelopersMailingList if you don't agree. We
can reopen this ticket after getting a strong consensus.
--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:1>
* cc: Adam (Chainz) Johnson (added)
Comment:
A cleaner alternative I thought of would be to introduce the new value
`None` as the defaults for these settings, which could mean the secure
flag is set on the cookies if `request.is_secure()`. The only potential
breakage is for sites that are served on HTTP and HTTPS, which is
something of a misconfiguration these days.
--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:2>
* status: closed => new
* resolution: wontfix =>
--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:3>
* status: new => closed
* resolution: => wontfix
Comment:
[https://docs.djangoproject.com/en/stable/internals/contributing/triaging-
tickets/#closing-tickets Please follow triaging guidelines with regards to
wontfix tickets.]
--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:4>
Comment (by Adam (Chainz) Johnson):
Sorry 🙈
--
Ticket URL: <https://code.djangoproject.com/ticket/31260#comment:5>