Use secure session cookies

Django would be default use insecure cookies - that would be sent by the browser also over plain http. And administrative work requiring authenticated sessions should be done over https - and therefore, the cookie should be marked as secure. This can be achived by setting: settings.SESSION_COOKIE_SECURE = True As this is an essential security setting that shouldn't need additional tweaks, adding the setting to settings.py (and not local_settings.py).

Use secure session cookies
Django would be default use insecure cookies - that would be sent by the browser also over plain http. And administrative work requiring authenticated sessions should be done over https - and therefore, the cookie should be marked as secure. This can be achived by setting: settings.SESSION_COOKIE_SECURE = True As this is an essential security setting that shouldn't need additional tweaks, adding the setting to settings.py (and not local_settings.py).
e4868581 · Vladimir Mencl · Zenon Mousmoulas · 2c10a316 · e4868581
Commit e4868581 authored Jan 30, 2016 by Vladimir Mencl Committed by Zenon Mousmoulas Feb 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

djnro/settings.py djnro/settings.py +2 -0

No files found.
--- a/djnro/settings.py
+++ b/djnro/settings.py
@@ -213,6 +213,8 @@ EDUROAM_KML_URL = 'http://monitor.eduroam.org/kml/all.kml'
 # Check for headers indicating the request was received on a secure SSL connection
 SECURE_PROXY_SSL_HEADER = ('X-Forwarded-SSL', 'on')

+# Request session cookies to be marked as secure
+SESSION_COOKIE_SECURE = True

 TINYMCE_JS_URL = '/static/js/tinymce/tiny_mce.js'