From a26d2be92cdbfbdd4bcaf350eae3c07b3ca9686e Mon Sep 17 00:00:00 2001 From: "Karl O. Pinc" Date: Sat, 14 Dec 2019 00:30:48 -0600 Subject: [PATCH] Change default session.secure to False so PGWUI works out-of-the-box --- README.rst | 3 +++ examples/etc/pgwui.ini | 5 ++++- examples/misc/development.ini | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index f98aa5b..2d5cfa7 100644 --- a/README.rst +++ b/README.rst @@ -196,6 +196,9 @@ Configuration Configuration is done in the ``[app:main]`` section of an ``.ini`` configuration file. +Those using HTTPS can improve security by changing the session.secure +configuration setting to True. + Advanced Configuration ^^^^^^^^^^^^^^^^^^^^^^ diff --git a/examples/etc/pgwui.ini b/examples/etc/pgwui.ini index 28ee039..0aeb2e8 100644 --- a/examples/etc/pgwui.ini +++ b/examples/etc/pgwui.ini @@ -111,7 +111,10 @@ session.key = pgwui_server # HMAC secret #session.secret = xxxxxxrandomstring40characterslongxxxxxx # Send cookie only over https -session.secure = True +# WARNING: To use HTTP, not HTTPS, session.secure must be False! +# CAUTION: If you are forcing the browser to use HTTPS you want +# session.secure to be True. +session.secure = False # Sessions timeout after an hour if unused. session.timeout = 3600 # Pyramid sends cookies for exception pages diff --git a/examples/misc/development.ini b/examples/misc/development.ini index 057c3e4..b3d8dd2 100644 --- a/examples/misc/development.ini +++ b/examples/misc/development.ini @@ -125,6 +125,9 @@ session.key = pgwui_server #session.secret = xxxxxxrandomstring40characterslongxxxxxx # Send cookie only over https # (True for production) +# WARNING: To use HTTP, not HTTPS, session.secure must be False! +# CAUTION: If you are forcing the browser to use HTTPS you want +# session.secure to be True. session.secure = False # Sessions timeout after an hour if unused. session.timeout = 3600 -- 2.34.1