subject:"Enable SESSION_COOKIE

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread James Bennett

On Wed, Apr 3, 2019 at 4:31 AM Aldian Fazrihady  wrote:

> Many production systems, including mine, are using HTTPS, which
> effectively blocks the capability of attackers from sniffing other people's
> cookies.
>

Closing off opportunities to sniff cookies is more complex than just using
HTTPS, which is why the 'Secure' and 'HttpOnly' flags exist on cookies, why
HSTS and preloading exist, and several other mechanisms.

If you are using HTTPS, you should have both SESSION_COOKIE_SECURE and
CSRF_COOKIE_SECURE set to True. This thread is discussing whether and how
we could default those to True.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAL13Cg-JpDxFVzAHqGmveMxVMD_2k5i%3DB%2BfwwLERi8pGY0%3DGJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Aldian Fazrihady

Hi Carlton,

Many production systems, including mine, are using HTTPS, which effectively
blocks the capability of attackers from sniffing other people's cookies.

Regards,

Aldian Fazrihady

On Wed, Apr 3, 2019 at 4:02 PM Carlton Gibson 
wrote:

> Hi all.
>
> https://code.djangoproject.com/ticket/30314
>
> >  Per the documentation, "Leaving this setting off isn’t a good idea
> because an attacker could capture an unencrypted session cookie with a
> packet sniffer and use the cookie to hijack the user’s session."
> >
> > If it's not a good idea for this setting to be off, why is it off by
> default? Seems backwards to me.
>
> This looks right to me. A small breaking change for 3.0 would seem
> reasonable. So I'm going to Accept this.
>
> BUT this has been this way forever
> 
>  so
> I just wanted to check if there were any overriding *Whys*?
>
> Thanks.
> Carlton
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/e67ee6a2-751e-4b24-9d72-6c746a8c0178%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAN7EoAZD5zYSQNqb13sJiaLsRNyFZhE9YREW%2B4hjUrC-TQp-HA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Matthias Kestenholz

On Wed, Apr 3, 2019 at 11:39 AM James Bennett  wrote:

> On Wed, Apr 3, 2019 at 2:34 AM Carlton Gibson 
> wrote:
>
>> Yes, super thanks. Breaking login in development would qualify as a good
>> *Why* yes. 
>>
>> I'll assume we're NOT going to do this, but anyone with input, please do
>> comment.
>>
>
> Historically I've done something along the lines of
>
> CSRF_COOKIE_SECURE = not DEBUG
> SESSION_COOKIE_SECURE = not DEBUG
>
> That guarantees I never go to production without the cookies set to
> secure, but also avoids breaking local dev. I do similar things with other
> SSL-related settings.
>
> I'm not sure how well it generalizes to other people's use cases, though.
>

I do this too, but not using "not DEBUG" but SECURE_SSL_REDIRECT (or the
related setting for django-canonical-domain). It might be a good idea to
add something like this to the project template?

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CANvPqgCES-_-%3D8V%2BuAxecqC-Xd2sUaqeDRiSeX%2Byz0OXrfZRUQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread James Bennett

On Wed, Apr 3, 2019 at 2:34 AM Carlton Gibson 
wrote:

> Yes, super thanks. Breaking login in development would qualify as a good
> *Why* yes. 
>
> I'll assume we're NOT going to do this, but anyone with input, please do
> comment.
>

Historically I've done something along the lines of

CSRF_COOKIE_SECURE = not DEBUG
SESSION_COOKIE_SECURE = not DEBUG

That guarantees I never go to production without the cookies set to secure,
but also avoids breaking local dev. I do similar things with other
SSL-related settings.

I'm not sure how well it generalizes to other people's use cases, though.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAL13Cg8NrS3k_XXp4mB%3DaLQgmoo3yhuEMXOrrB2_yBj_tMV1qw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Carlton Gibson

Hi Matthias, 

Yes, super thanks. Breaking login in development would qualify as a good 
*Why* yes. 

I'll assume we're NOT going to do this, but anyone with input, please do 
comment. 

> (The same reasoning should probably be applied to CSRF_COOKIE_SECURE.

Absolutely. And, soon, `LANGUAGE_` 
too. https://github.com/django/django/pull/11155


Thanks. C. 




On Wednesday, 3 April 2019 10:19:15 UTC+2, Matthias Kestenholz wrote:
>
> On Wed, Apr 3, 2019 at 10:02 AM Carlton Gibson  > wrote:
>
>> Hi all. 
>>
>> https://code.djangoproject.com/ticket/30314
>>
>> >  Per the documentation, "Leaving this setting off isn’t a good idea 
>> because an attacker could capture an unencrypted session cookie with a 
>> packet sniffer and use the cookie to hijack the user’s session."
>> >
>> > If it's not a good idea for this setting to be off, why is it off by 
>> default? Seems backwards to me.
>>
>> This looks right to me. A small breaking change for 3.0 would seem 
>> reasonable. So I'm going to Accept this. 
>>
>> BUT this has been this way forever 
>> 
>>  so 
>> I just wanted to check if there were any overriding *Whys*?
>>
>
> (The same reasoning should probably be applied to CSRF_COOKIE_SECURE.)
>
> My opinion is that this isn't a good idea. Right now it's possible to 
> always have the SecurityMiddleware in MIDDLEWARE without adding any 
> security-specific settings to the default setup. You get the following 
> benefits:
>
> - Authenticating when developing locally works (as I understand it it does 
> not with *_COOKIE_SECURE set to True because you can't authenticate anymore 
> on the http: development server)
> - You get the SecurityMiddleware's warnings if you do not enable those 
> settings when DEBUG=False
>
> I fear that more people will remove the SecurityMiddleware (which is in 
> the default setup) instead of deactivating secure cookies for local 
> development which means a net negative for security.
>
> Thanks,
> Matthias
>
>  
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/46eb57dc-6b63-4a03-8937-6c6ad731344f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Matthias Kestenholz

On Wed, Apr 3, 2019 at 10:02 AM Carlton Gibson 
wrote:

> Hi all.
>
> https://code.djangoproject.com/ticket/30314
>
> >  Per the documentation, "Leaving this setting off isn’t a good idea
> because an attacker could capture an unencrypted session cookie with a
> packet sniffer and use the cookie to hijack the user’s session."
> >
> > If it's not a good idea for this setting to be off, why is it off by
> default? Seems backwards to me.
>
> This looks right to me. A small breaking change for 3.0 would seem
> reasonable. So I'm going to Accept this.
>
> BUT this has been this way forever
> 
>  so
> I just wanted to check if there were any overriding *Whys*?
>

(The same reasoning should probably be applied to CSRF_COOKIE_SECURE.)

My opinion is that this isn't a good idea. Right now it's possible to
always have the SecurityMiddleware in MIDDLEWARE without adding any
security-specific settings to the default setup. You get the following
benefits:

- Authenticating when developing locally works (as I understand it it does
not with *_COOKIE_SECURE set to True because you can't authenticate anymore
on the http: development server)
- You get the SecurityMiddleware's warnings if you do not enable those
settings when DEBUG=False

I fear that more people will remove the SecurityMiddleware (which is in the
default setup) instead of deactivating secure cookies for local development
which means a net negative for security.

Thanks,
Matthias

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CANvPqgCBK4B5k4hFPnvQvHv4ie2Bd0gnbw1sNhdCFb5KC7jsSg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Carlton Gibson

Hi all. 

https://code.djangoproject.com/ticket/30314

>  Per the documentation, "Leaving this setting off isn’t a good idea 
because an attacker could capture an unencrypted session cookie with a 
packet sniffer and use the cookie to hijack the user’s session."
>
> If it's not a good idea for this setting to be off, why is it off by 
default? Seems backwards to me.

This looks right to me. A small breaking change for 3.0 would seem 
reasonable. So I'm going to Accept this. 

BUT this has been this way forever 

 so 
I just wanted to check if there were any overriding *Whys*?

Thanks. 
Carlton

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/e67ee6a2-751e-4b24-9d72-6c746a8c0178%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enable SESSION_COOKIE_SECURE by Default

Re: Enable SESSION_COOKIE_SECURE by Default

Re: Enable SESSION_COOKIE_SECURE by Default

Re: Enable SESSION_COOKIE_SECURE by Default

Re: Enable SESSION_COOKIE_SECURE by Default

Re: Enable SESSION_COOKIE_SECURE by Default

Enable SESSION_COOKIE_SECURE by Default

7 matches

Site Navigation

Mail list logo

Footer information