diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index a00e2ba4eb..4ea694d064 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -252,6 +252,7 @@ MIDDLEWARE_CLASSES = ( SESSION_COOKIE_NAME = 'sessionid' # Cookie name. This can be whatever you want. SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks). SESSION_COOKIE_DOMAIN = None # A string like ".lawrence.com", or None for standard domain cookie. +SESSION_COOKIE_SECURE = False # Whether the session cookie should be secure (https:// only). SESSION_SAVE_EVERY_REQUEST = False # Whether to save the session data on every request. SESSION_EXPIRE_AT_BROWSER_CLOSE = False # Whether sessions expire when a user closes his browser. diff --git a/django/contrib/sessions/middleware.py b/django/contrib/sessions/middleware.py index dde4f1a6c0..2337ad8a61 100644 --- a/django/contrib/sessions/middleware.py +++ b/django/contrib/sessions/middleware.py @@ -88,5 +88,6 @@ class SessionMiddleware(object): new_session = Session.objects.save(session_key, request.session._session, datetime.datetime.now() + datetime.timedelta(seconds=settings.SESSION_COOKIE_AGE)) response.set_cookie(settings.SESSION_COOKIE_NAME, session_key, - max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN) + max_age=max_age, expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, + secure=settings.SESSION_COOKIE_SECURE or None) return response diff --git a/docs/sessions.txt b/docs/sessions.txt index c473d0a3db..d39f42c3bf 100644 --- a/docs/sessions.txt +++ b/docs/sessions.txt @@ -245,6 +245,17 @@ Default: ``'sessionid'`` The name of the cookie to use for sessions. This can be whatever you want. +SESSION_COOKIE_SECURE +--------------------- + +**New in Django development version** + +Default: ``False`` + +Whether to use a secure cookie for the session cookie. If this is set to +``True``, the cookie will be marked as "secure," which means browsers may +ensure that the cookie is only sent under an HTTPS connection. + SESSION_EXPIRE_AT_BROWSER_CLOSE ------------------------------- diff --git a/docs/settings.txt b/docs/settings.txt index 099196e56e..67e0498e1a 100644 --- a/docs/settings.txt +++ b/docs/settings.txt @@ -647,6 +647,18 @@ Default: ``'sessionid'`` The name of the cookie to use for sessions. This can be whatever you want. See the `session docs`_. +SESSION_COOKIE_SECURE +--------------------- + +**New in Django development version** + +Default: ``False`` + +Whether to use a secure cookie for the session cookie. If this is set to +``True``, the cookie will be marked as "secure," which means browsers may +ensure that the cookie is only sent under an HTTPS connection. +See the `session docs`_. + SESSION_EXPIRE_AT_BROWSER_CLOSE -------------------------------