Merge pull request openwebwork#2658 from drgrice1/default-cookie-secure

Change the default value of `$CookieSecure` to 1.
drgrice1 · Jan 22, 2025 · fd501c8 · fd501c8
2 parents 3219060 + 7e1fa1a
commit fd501c8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 4 deletions.
diff --git a/conf/defaults.config b/conf/defaults.config
@@ -981,8 +981,7 @@ $session_management_via = "session_cookie";
 $CookieSameSite = "Lax";
 
 # Set the value of the secure cookie attribute.
-# The default is 0, as 1 will not work without https.
-$CookieSecure = 0;
+$CookieSecure = 1;
 
 # If $useSessionCookie is set to 1, then a "session" cookie will be used. This
 # means that the cookie will be deleted when the browser session ends.

diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
@@ -595,8 +595,8 @@ $mail{feedbackRecipients}    = [
 #$CookieSameSite = "Lax";
 
 # Set the value of the secure cookie attribute.
-# The default is 0, as 1 will not work without https.
-#$CookieSecure = 1;
+# The default is 1, so if you are serving without https then set this to 0.
+#$CookieSecure = 0;
 
 # If $useSessionCookie is set to 1, then a "session" cookie will be used. This
 # means that the cookie will be deleted when the browser session ends.