> So I should be looking at SESSION_COOKIE_SECURE (http:// > docs.djangoproject.com/en/dev/topics/http/sessions/)?
Cookies are passed along with the request, not in a separate connection. Therefore with browsers that support secure only cookies, setting SESSION_COOKIE_SECURE = True would require all requests which needed the session (in your case, all of them, I believe) to be served over SSL. > > Steven, you say you have login on SSL and then have the cookie passed > > over unencrypted channel for the rest of the site. Is there any risk > > with this or mitigating steps that should be taken? I'm no security expert ;-) but it would certainly be easier to steal a cookie that is being transferred over an insecure connection, at which point the thief could impersonate the user of the cookie that was stolen. BUT this would require that the thief have access to the network somewhere between the client and server (so it's not _that_ easy). Also note that the Django cookie does not contain the password (no cookies should ever contain secrets like this). Other options might be to consider using SESSION_EXPIRE_AT_BROWSER_CLOSE or SESSION_COOKIE_AGE to reduce the lifetime of the cookie, at the expense of requiring your users to log in more frequently. Given that you say your content is not particularly sensitive, I would presume that saving the CPU cycles and only using SSL for auth and personal data transfer is acceptable -- but maybe the extra CPU cycles are not significant. Only you and your stakeholders can determine what level of paranoia you need for your site. Hope this helps! Steven. -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.