Hi,
I agree that we should treat session cookies as sensitive and hide them
like we do with passwords. That said, please be aware that all the
SafeException reporters are best effort and it is generally not possible to
have a "safe" exception.
In that sense, patches welcome but
Hi,
AFAIU, SafeExceptionReporterFilter takes care of removing any sensitive
data from logs. However, I today realized that this does not cover
session cookies.
In a ticket about this issue[1] it was treated not as a security issue
but more as a request for customization. That puzzled me a
Hi All,
First post here, please redirect me where needed if is not appropriate.
I wanted to suggest a feature.
Our current plan is to use the same Django on subdomain.domain.com and
domain.org, and a different Django with CMS on the TLD domain.com
We want to enable cookie saving with the TL
I recently opened #16847, which proposes to set the HttpOnly property
to True on session cookies by default in 1.4. I'm pretty sure this is
the right approach, but I'd like a bit more feedback from the dev list
here before I go ahead and do it. Are people running applications that
would
On 4/12/06, Michael Radziej <[EMAIL PROTECTED]> wrote:
> the sessions middleware does not support some cookie settings I'd prefer
> for security, especially since the authentication middleware depends on it:
>
> - secure flag (i.e., if a cookie has been received via SSL, only send it
> over SSL)
>
Hmm ... not much feedback :-(
Please, could one of the core developers just give a short statement
like "interested" or "not interested" on this? Even a "maybe" would be
better than no feedback at all.
It just makes a difference if I do this only for my project or try to
solve it cleanly.
Mi
Hi,
the sessions middleware does not support some cookie settings I'd prefer
for security, especially since the authentication middleware depends on it:
- secure flag (i.e., if a cookie has been received via SSL, only send it
over SSL)
- discard flag (i.e., it's a non-persistent cookie being
