Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the default value of $CookieSecure to 1. #2658

Merged
merged 1 commit into from
Jan 22, 2025
Merged

Change the default value of $CookieSecure to 1. #2658

merged 1 commit into from
Jan 22, 2025

Conversation

drgrice1
Copy link
Member

There is really no production scenario where this should be anything but 1. If you are really serving without https, then you can change this. And good luck dealing with your users having to click through the warnings to get to your site.

Note that this just works if you are using localhost in development also. Browsers have a built in exception for localhost and consider it secure without actual certificates.

I am tired of seeing forum issues because system administrators forget or don't know to change this.

@drgrice1
Change the default value of $CookieSecure to 1.
7e1fa1a 
There is really no production scenario where this should be anything but
1.  If you are really serving without https, then you can change this.
And good luck dealing with your users having to click through the
warnings to get to your site.

Note that this just works if you are using `localhost` in development
also.  Browsers have a built in exception for `localhost` and consider
it secure without actual certificates.

I am tired of seeing forum issues because system administrators forget
or don't know to change this.
dlglin
dlglin approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@dlglin dlglin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As someone who was burned by this I wholeheartedly approve.
Is it worth adding a note to localOverrides telling people that changing this to 0 in a production environment is a bad idea?

@drgrice1
Copy link
Member Author

I think it is worth adding a note. I almost did but for some reason held off. I guess I wasn't sure exactly what to say other than "Don't do this."

@drgrice1
Copy link
Member Author

Historically there have been quite a few instances of webwork that were served without SSL, and we have lots of notes in the installation manual and such about "if you are serving with https...". Nowadays, serving without SSL even for the most basic of sites is something you really just can't do anymore.

@dlglin
Copy link
Member

dlglin commented Jan 22, 2025

The only use case I see is for disabling this is test/dev environments. That's why I suggested saying something about not changing it on production systems.
I agree that we should get rid of any instructions that describe https as optional.

@somiaj somiaj merged commit fd501c8 into openwebwork:develop Jan 22, 2025
2 checks passed
@somiaj
Copy link
Contributor

somiaj commented Jan 22, 2025

Oops, I missed you were complicating adding an additional note. I was mostly thinking you were discussing updating install instructions and adding notes there.

@drgrice1
Copy link
Member Author

That is okay. We can add a note later. I think that most will just leave this as it is.

@drgrice1 drgrice1 deleted the default-cookie-secure branch January 24, 2025 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlglin dlglin dlglin approved these changes

@somiaj somiaj somiaj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@drgrice1 @dlglin @somiaj