Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed #2523 -- Added SESSION_COOKIE_SECURE setting. Thanks, mir@noris.de

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3570 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 45be33a6327bccae60319982254ee62f65bea11e 1 parent 20070d9
@adrianholovaty adrianholovaty authored
View
1  django/conf/global_settings.py
@@ -252,6 +252,7 @@
SESSION_COOKIE_NAME = 'sessionid' # Cookie name. This can be whatever you want.
SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks).
SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie.
+SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only).
SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request.
SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether sessions expire when a user closes his browser.
View
3  django/contrib/sessions/middleware.py
@@ -88,5 +88,6 @@ def process_response(self, request, response):
new_session = Session.objects.save(session_key, request.session._session,
datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE))
response.set_cookie(settings.SESSION_COOKIE_NAME, session_key,
- max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN)
+ max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
+ secure=settings.SESSION_COOKIE_SECURE or None)
return response
View
11 docs/sessions.txt
@@ -245,6 +245,17 @@ Default: ``'sessionid'``
The name of the cookie to use for sessions. This can be whatever you want.
+SESSION_COOKIE_SECURE
+---------------------
+
+**New in Django development version**
+
+Default: ``False``
+
+Whether to use a secure cookie for the session cookie. If this is set to
+``True``, the cookie will be marked as "secure," which means browsers may
+ensure that the cookie is only sent under an HTTPS connection.
+
SESSION_EXPIRE_AT_BROWSER_CLOSE
-------------------------------
View
12 docs/settings.txt
@@ -647,6 +647,18 @@ Default: ``'sessionid'``
The name of the cookie to use for sessions. This can be whatever you want.
See the `session docs`_.
+SESSION_COOKIE_SECURE
+---------------------
+
+**New in Django development version**
+
+Default: ``False``
+
+Whether to use a secure cookie for the session cookie. If this is set to
+``True``, the cookie will be marked as "secure," which means browsers may
+ensure that the cookie is only sent under an HTTPS connection.
+See the `session docs`_.
+
SESSION_EXPIRE_AT_BROWSER_CLOSE
-------------------------------

0 comments on commit 45be33a

Please sign in to comment.
Something went wrong with that request. Please try again.