On Wed, Apr 3, 2019 at 10:02 AM Carlton Gibson <carlton.gib...@gmail.com> wrote:
> Hi all. > > https://code.djangoproject.com/ticket/30314 > > > Per the documentation, "Leaving this setting off isn’t a good idea > because an attacker could capture an unencrypted session cookie with a > packet sniffer and use the cookie to hijack the user’s session." > > > > If it's not a good idea for this setting to be off, why is it off by > default? Seems backwards to me. > > This looks right to me. A small breaking change for 3.0 would seem > reasonable. So I'm going to Accept this. > > BUT this has been this way forever > <https://github.com/django/django/commit/45be33a6327bccae60319982254ee62f65bea11e> > so > I just wanted to check if there were any overriding *Whys*? > (The same reasoning should probably be applied to CSRF_COOKIE_SECURE.) My opinion is that this isn't a good idea. Right now it's possible to always have the SecurityMiddleware in MIDDLEWARE without adding any security-specific settings to the default setup. You get the following benefits: - Authenticating when developing locally works (as I understand it it does not with *_COOKIE_SECURE set to True because you can't authenticate anymore on the http: development server) - You get the SecurityMiddleware's warnings if you do not enable those settings when DEBUG=False I fear that more people will remove the SecurityMiddleware (which is in the default setup) instead of deactivating secure cookies for local development which means a net negative for security. Thanks, Matthias -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANvPqgCBK4B5k4hFPnvQvHv4ie2Bd0gnbw1sNhdCFb5KC7jsSg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
