From 7e1fa1a774cc787f186d6eb2fb01e4eede8b18a0 Mon Sep 17 00:00:00 2001 From: Glenn Rice Date: Wed, 22 Jan 2025 15:26:48 -0600 Subject: [PATCH] Change the default value of `$CookieSecure` to 1. There is really no production scenario where this should be anything but 1. If you are really serving without https, then you can change this. And good luck dealing with your users having to click through the warnings to get to your site. Note that this just works if you are using `localhost` in development also. Browsers have a built in exception for `localhost` and consider it secure without actual certificates. I am tired of seeing forum issues because system administrators forget or don't know to change this. --- conf/defaults.config | 3 +-- conf/localOverrides.conf.dist | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/conf/defaults.config b/conf/defaults.config index f9087301e8..94b0f102ca 100644 --- a/conf/defaults.config +++ b/conf/defaults.config @@ -981,8 +981,7 @@ $session_management_via = "session_cookie"; $CookieSameSite = "Lax"; # Set the value of the secure cookie attribute. -# The default is 0, as 1 will not work without https. -$CookieSecure = 0; +$CookieSecure = 1; # If $useSessionCookie is set to 1, then a "session" cookie will be used. This # means that the cookie will be deleted when the browser session ends. diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist index c852f924be..5a19b9e0a4 100644 --- a/conf/localOverrides.conf.dist +++ b/conf/localOverrides.conf.dist @@ -595,8 +595,8 @@ $mail{feedbackRecipients} = [ #$CookieSameSite = "Lax"; # Set the value of the secure cookie attribute. -# The default is 0, as 1 will not work without https. -#$CookieSecure = 1; +# The default is 1, so if you are serving without https then set this to 0. +#$CookieSecure = 0; # If $useSessionCookie is set to 1, then a "session" cookie will be used. This # means that the cookie will be deleted when the browser session ends.