Refs CVE-2026-6873 -- Defaulted SIGNED_COOKIE_LEGACY_SALT_FALLBACK transitional setting to False.

author: Jacob Walls <jacobtylerwalls@gmail.com> 2026-06-03 09:23:37 -0400
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2026-06-03 12:12:54 -0400
commit: 3328078a01f5268f9b8659f56fd28c5a2ed083dc (patch)
tree: 4b473d337ae52c0de265911b4e2adcd11381231e /docs/ref/settings.txt
parent: 170975c5bdc3fc69b15e46f50df7b48eb9e1115c (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index b69cafad5a..31762338b9 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2838,16 +2838,23 @@ See also :setting:`DATE_FORMAT` and :setting:`SHORT_DATE_FORMAT`.
 
 .. versionadded:: 5.2.15
 
-Default: ``True``
+Default: ``False``
 
 Controls whether :meth:`~django.http.HttpRequest.get_signed_cookie` accepts
 cookies signed with Django's historical signed-cookie salt derivation based on
 ``key + salt``.
 
-Set this to ``False`` to reject those legacy signed cookies and only accept
+Set this to ``True`` to accept those legacy signed cookies in addition to
 cookies signed with Django's current unambiguous signed-cookie salt derivation.
-This transitional setting will be removed in Django 7.0, when the legacy signed
-cookies will no longer be accepted.
+
+.. versionchanged:: 6.1
+
+    In older versions, the default was ``True``.
+
+.. deprecated:: 6.1
+
+    This transitional setting will be removed in Django 7.0, when legacy signed
+    cookies will no longer be accepted.
 
 .. setting:: SIGNING_BACKEND
author	Jacob Walls <jacobtylerwalls@gmail.com>	2026-06-03 09:23:37 -0400
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2026-06-03 12:12:54 -0400
commit	3328078a01f5268f9b8659f56fd28c5a2ed083dc (patch)
tree	4b473d337ae52c0de265911b4e2adcd11381231e /docs/ref/settings.txt
parent	170975c5bdc3fc69b15e46f50df7b48eb9e1115c (diff)