Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make session secure by default #11597

Open
4 tasks
GuySartorelli opened this issue Feb 7, 2025 · 0 comments
Open
4 tasks

Make session secure by default #11597

GuySartorelli opened this issue Feb 7, 2025 · 0 comments
Labels
type/api-break
Milestone
Silverstripe CMS 6.0

Comments

@GuySartorelli
Copy link
Member

In https://docs.silverstripe.org/en/developer_guides/cookies_and_sessions/sessions/#cookies there is clear guidance for how to make a session secure - but that should be the default. Developers can then loosen that as needed for their circumstances.

We should tighten this up in CMS 6 - we can't do it sooner than that for BC reasons.

Acceptance criteria

  • Session.cookie_samesite configuration property is set to 'Strict' by default
  • Session.cookie_secure configuration property is set to true by default
  • Documentation is updated to reflect the new defaults, and to say how to loosen them (and an example of an appropriate scenario in which to do that, or if no such scenario is discovered, a warning to not do it unless they're sure they know what they're doing)
  • Changelog clearly calls out this change and how to revert it if needed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/api-break
Projects
None yet
Milestone
Silverstripe CMS 6.0
Development

No branches or pull requests
1 participant
@GuySartorelli