summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/contrib/messages.txt9
-rw-r--r--docs/ref/settings.txt13
2 files changed, 21 insertions, 1 deletions
diff --git a/docs/ref/contrib/messages.txt b/docs/ref/contrib/messages.txt
index 2014c7c183..c1995b6d39 100644
--- a/docs/ref/contrib/messages.txt
+++ b/docs/ref/contrib/messages.txt
@@ -376,3 +376,12 @@ behavior:
* :setting:`MESSAGE_LEVEL`
* :setting:`MESSAGE_STORAGE`
* :setting:`MESSAGE_TAGS`
+
+.. versionadded:: 1.7
+
+For backends that use cookies, the settings for the cookie are taken from
+the session cookie settings:
+
+* :setting:`SESSION_COOKIE_DOMAIN`
+* :setting:`SESSION_COOKIE_SECURE`
+* :setting:`SESSION_COOKIE_HTTPONLY`
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 2f531803bc..b0bc020f47 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2266,7 +2266,8 @@ See :ref:`message storage backends <message-storage-backends>` for more details.
The backends that use cookies --
:class:`~django.contrib.messages.storage.cookie.CookieStorage` and
:class:`~django.contrib.messages.storage.fallback.FallbackStorage` --
-use the value of :setting:`SESSION_COOKIE_DOMAIN` when setting their cookies.
+use the value of :setting:`SESSION_COOKIE_DOMAIN`, :setting:`SESSION_COOKIE_SECURE`
+and :setting:`SESSION_COOKIE_HTTPONLY` when setting their cookies.
.. setting:: MESSAGE_TAGS
@@ -2342,6 +2343,8 @@ standard domain cookies, existing user cookies will be set to the old
domain. This may result in them being unable to log in as long as these cookies
persist.
+This setting also affects cookies set by :mod:`django.contrib.messages`.
+
.. setting:: SESSION_COOKIE_HTTPONLY
SESSION_COOKIE_HTTPONLY
@@ -2359,6 +2362,10 @@ consistently by all browsers. However, when it is honored, it can be a
useful way to mitigate the risk of client side script accessing the
protected cookie data.
+.. versionadded:: 1.7
+
+This setting also affects cookies set by :mod:`django.contrib.messages`.
+
.. _HTTPOnly: https://www.owasp.org/index.php/HTTPOnly
.. setting:: SESSION_COOKIE_NAME
@@ -2396,6 +2403,10 @@ Whether to use a secure cookie for the session cookie. If this is set to
``True``, the cookie will be marked as "secure," which means browsers may
ensure that the cookie is only sent under an HTTPS connection.
+.. versionadded:: 1.7
+
+This setting also affects cookies set by :mod:`django.contrib.messages`.
+
.. setting:: SESSION_ENGINE
SESSION_ENGINE