add docs about secure cookies

2013-11-03 10:19:05 +01:00 · 2013-11-03 10:19:05 +01:00 · 52c2916215
commit 52c2916215
parent 7a99935597
2 changed files with 5 additions and 2 deletions
--- a/docs/security.rst
+++ b/docs/security.rst
@ -102,6 +102,9 @@ The software ("as is") uses these cookies:
 * "sessionid" (host-only, to keep the session when you have logged-in to the
  web interface)

+If you have set WE_HAVE_SSL to True (because you run the software on a https
+site), you should also set *_COOKIE_SECURE to True to avoid the cookies getting
+transmitted via http.

 Be careful with domain cookies
 ------------------------------
--- a/nsupdate/settings.py
+++ b/nsupdate/settings.py
@ -224,13 +224,13 @@ CSRF_FAILURE_VIEW = 'nsupdate.main.views.CsrfFailureView'
 # Settings for CSRF cookie.
 CSRF_COOKIE_NAME = 'csrftoken'
 CSRF_COOKIE_PATH = '/'
-CSRF_COOKIE_SECURE = False
+CSRF_COOKIE_SECURE = False  # use True here if you have set WE_HAVE_SSL = True
 CSRF_COOKIE_HTTPONLY = False

 # Settings for session cookie.
 SESSION_COOKIE_NAME = 'sessionid'
 SESSION_COOKIE_PATH = '/'
-SESSION_COOKIE_SECURE = False
+SESSION_COOKIE_SECURE = False  # use True here if you have set WE_HAVE_SSL = True
 SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_AGE = 14 * 24 * 3600  # 2 weeks, in seconds
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False