Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread James Bennett
On Wed, Apr 3, 2019 at 4:31 AM Aldian Fazrihady wrote: > Many production systems, including mine, are using HTTPS, which > effectively blocks the capability of attackers from sniffing other people's > cookies. > Closing off opportunities to sniff cookies is more complex than just using HTTPS,

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Aldian Fazrihady
Hi Carlton, Many production systems, including mine, are using HTTPS, which effectively blocks the capability of attackers from sniffing other people's cookies. Regards, Aldian Fazrihady On Wed, Apr 3, 2019 at 4:02 PM Carlton Gibson wrote: > Hi all. > >

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Matthias Kestenholz
On Wed, Apr 3, 2019 at 11:39 AM James Bennett wrote: > On Wed, Apr 3, 2019 at 2:34 AM Carlton Gibson > wrote: > >> Yes, super thanks. Breaking login in development would qualify as a good >> *Why* yes.  >> >> I'll assume we're NOT going to do this, but anyone with input, please do >> comment.

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread James Bennett
On Wed, Apr 3, 2019 at 2:34 AM Carlton Gibson wrote: > Yes, super thanks. Breaking login in development would qualify as a good > *Why* yes.  > > I'll assume we're NOT going to do this, but anyone with input, please do > comment. > Historically I've done something along the lines of

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Carlton Gibson
Hi Matthias, Yes, super thanks. Breaking login in development would qualify as a good *Why* yes.  I'll assume we're NOT going to do this, but anyone with input, please do comment. > (The same reasoning should probably be applied to CSRF_COOKIE_SECURE. Absolutely. And, soon, `LANGUAGE_`

Re: Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Matthias Kestenholz
On Wed, Apr 3, 2019 at 10:02 AM Carlton Gibson wrote: > Hi all. > > https://code.djangoproject.com/ticket/30314 > > > Per the documentation, "Leaving this setting off isn’t a good idea > because an attacker could capture an unencrypted session cookie with a > packet sniffer and use the cookie

Enable SESSION_COOKIE_SECURE by Default

2019-04-03 Thread Carlton Gibson
Hi all. https://code.djangoproject.com/ticket/30314 > Per the documentation, "Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session." > > If it's not a good idea for