django-session-security icon indicating copy to clipboard operation
django-session-security copied to clipboard

Published 20 hours ago verified publisher icon yourlabs

Question about SESSION_SECURITY_INSECURE setting

Open marsvolta80 opened this issue 6 years ago • 2 comments
trafficstars

Good morning,

I just wanted to get some clarification on the SESSION_SECURITY_INSECURE setting. Based on documentation it seems like if you set SESSION_EXPIRE_AT_BROWSE_CLOSE to True then you wouldn't need to set the SESSION_SECURITY_INSECURE setting? Also the documentation seems to suggest you wouldn't want to use this app without setting SESSION_EXPIRE_AT_BROWSER_CLOSE being set to True. Overall I was just a little confused on how this setting is used. Can you describe a scenario of how you would use this setting?

Thank you!

marsvolta80 avatar Jul 24 '19 15:07 marsvolta80

The package will throw an exception if you don't do one of two things:

  1. set SESSION_EXPIRE_AT_BROWSER_CLOSE=True
  2. set SESSION_SECURITY_INSECURE=True

You absolutely should do the first, but a bypass exists if (for some reason?!?!) you needed to prevent this from happening (e.g. for testing or for a specific type of user).

claytondaley avatar Jul 24 '19 15:07 claytondaley

If you have a suggestion on how to phrase it more clearly, you're welcome to submit a PR!

claytondaley avatar Jul 24 '19 15:07 claytondaley