Change default session.secure to False so PGWUI works out-of-the-box

diff --git a/README.rst b/README.rst
index f98aa5b620cc97c319e32574edf04a73401192fd..2d5cfa7f4f47a349faee3406e456b7a488b7e7b5 100644 (file)
--- a/README.rst
+++ b/README.rst
@@ -196,6 +196,9 @@ Configuration
 Configuration is done in the ``[app:main]`` section of an ``.ini``
 configuration file.
 
+Those using HTTPS can improve security by changing the session.secure
+configuration setting to True.
+
 Advanced Configuration
 ^^^^^^^^^^^^^^^^^^^^^^
 

diff --git a/examples/etc/pgwui.ini b/examples/etc/pgwui.ini
index 28ee039f2a8b82c42c54da3ff00ecc9d3e75296f..0aeb2e815c79579ca6cbc68f8589a300e596e128 100644 (file)
--- a/examples/etc/pgwui.ini
+++ b/examples/etc/pgwui.ini
@@ -111,7 +111,10 @@ session.key = pgwui_server
 # HMAC secret
 #session.secret = xxxxxxrandomstring40characterslongxxxxxx
 # Send cookie only over https
-session.secure = True
+# WARNING: To use HTTP, not HTTPS, session.secure must be False!
+# CAUTION: If you are forcing the browser to use HTTPS you want
+#          session.secure to be True.
+session.secure = False
 # Sessions timeout after an hour if unused.
 session.timeout = 3600
 # Pyramid sends cookies for exception pages

diff --git a/examples/misc/development.ini b/examples/misc/development.ini
index 057c3e4789625af0f0706acab1d12b68d3f7ece4..b3d8dd2b69155fc02f76773b1189fad3afe498ef 100644 (file)
--- a/examples/misc/development.ini
+++ b/examples/misc/development.ini
@@ -125,6 +125,9 @@ session.key = pgwui_server
 #session.secret = xxxxxxrandomstring40characterslongxxxxxx
 # Send cookie only over https
 # (True for production)
+# WARNING: To use HTTP, not HTTPS, session.secure must be False!
+# CAUTION: If you are forcing the browser to use HTTPS you want
+#          session.secure to be True.
 session.secure = False
 # Sessions timeout after an hour if unused.
 session.timeout = 3600