diff options
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/contrib/messages.txt | 9 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 13 |
2 files changed, 21 insertions, 1 deletions
diff --git a/docs/ref/contrib/messages.txt b/docs/ref/contrib/messages.txt index 2014c7c183..c1995b6d39 100644 --- a/docs/ref/contrib/messages.txt +++ b/docs/ref/contrib/messages.txt @@ -376,3 +376,12 @@ behavior: * :setting:`MESSAGE_LEVEL` * :setting:`MESSAGE_STORAGE` * :setting:`MESSAGE_TAGS` + +.. versionadded:: 1.7 + +For backends that use cookies, the settings for the cookie are taken from +the session cookie settings: + +* :setting:`SESSION_COOKIE_DOMAIN` +* :setting:`SESSION_COOKIE_SECURE` +* :setting:`SESSION_COOKIE_HTTPONLY` diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 2f531803bc..b0bc020f47 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2266,7 +2266,8 @@ See :ref:`message storage backends <message-storage-backends>` for more details. The backends that use cookies -- :class:`~django.contrib.messages.storage.cookie.CookieStorage` and :class:`~django.contrib.messages.storage.fallback.FallbackStorage` -- -use the value of :setting:`SESSION_COOKIE_DOMAIN` when setting their cookies. +use the value of :setting:`SESSION_COOKIE_DOMAIN`, :setting:`SESSION_COOKIE_SECURE` +and :setting:`SESSION_COOKIE_HTTPONLY` when setting their cookies. .. setting:: MESSAGE_TAGS @@ -2342,6 +2343,8 @@ standard domain cookies, existing user cookies will be set to the old domain. This may result in them being unable to log in as long as these cookies persist. +This setting also affects cookies set by :mod:`django.contrib.messages`. + .. setting:: SESSION_COOKIE_HTTPONLY SESSION_COOKIE_HTTPONLY @@ -2359,6 +2362,10 @@ consistently by all browsers. However, when it is honored, it can be a useful way to mitigate the risk of client side script accessing the protected cookie data. +.. versionadded:: 1.7 + +This setting also affects cookies set by :mod:`django.contrib.messages`. + .. _HTTPOnly: https://www.owasp.org/index.php/HTTPOnly .. setting:: SESSION_COOKIE_NAME @@ -2396,6 +2403,10 @@ Whether to use a secure cookie for the session cookie. If this is set to ``True``, the cookie will be marked as "secure," which means browsers may ensure that the cookie is only sent under an HTTPS connection. +.. versionadded:: 1.7 + +This setting also affects cookies set by :mod:`django.contrib.messages`. + .. setting:: SESSION_ENGINE SESSION_ENGINE |
