Hi all. https://code.djangoproject.com/ticket/30314
> Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session." > > If it's not a good idea for this setting to be off, why is it off by default? Seems backwards to me. This looks right to me. A small breaking change for 3.0 would seem reasonable. So I'm going to Accept this. BUT this has been this way forever <https://github.com/django/django/commit/45be33a6327bccae60319982254ee62f65bea11e> so I just wanted to check if there were any overriding *Whys*? Thanks. Carlton -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/e67ee6a2-751e-4b24-9d72-6c746a8c0178%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.