On Wed, Apr 3, 2019 at 4:31 AM Aldian Fazrihady wrote:
> Many production systems, including mine, are using HTTPS, which
> effectively blocks the capability of attackers from sniffing other people's
> cookies.
>
Closing off opportunities to sniff cookies is more complex than just using
HTTPS,
Hi Carlton,
Many production systems, including mine, are using HTTPS, which effectively
blocks the capability of attackers from sniffing other people's cookies.
Regards,
Aldian Fazrihady
On Wed, Apr 3, 2019 at 4:02 PM Carlton Gibson
wrote:
> Hi all.
>
>
On Wed, Apr 3, 2019 at 11:39 AM James Bennett wrote:
> On Wed, Apr 3, 2019 at 2:34 AM Carlton Gibson
> wrote:
>
>> Yes, super thanks. Breaking login in development would qualify as a good
>> *Why* yes.
>>
>> I'll assume we're NOT going to do this, but anyone with input, please do
>> comment.
On Wed, Apr 3, 2019 at 2:34 AM Carlton Gibson
wrote:
> Yes, super thanks. Breaking login in development would qualify as a good
> *Why* yes.
>
> I'll assume we're NOT going to do this, but anyone with input, please do
> comment.
>
Historically I've done something along the lines of
Hi Matthias,
Yes, super thanks. Breaking login in development would qualify as a good
*Why* yes.
I'll assume we're NOT going to do this, but anyone with input, please do
comment.
> (The same reasoning should probably be applied to CSRF_COOKIE_SECURE.
Absolutely. And, soon, `LANGUAGE_`
On Wed, Apr 3, 2019 at 10:02 AM Carlton Gibson
wrote:
> Hi all.
>
> https://code.djangoproject.com/ticket/30314
>
> > Per the documentation, "Leaving this setting off isn’t a good idea
> because an attacker could capture an unencrypted session cookie with a
> packet sniffer and use the cookie
Hi all.
https://code.djangoproject.com/ticket/30314
> Per the documentation, "Leaving this setting off isn’t a good idea
because an attacker could capture an unencrypted session cookie with a
packet sniffer and use the cookie to hijack the user’s session."
>
> If it's not a good idea for