From: Karl O. Pinc <kop@karlpinc.com>
Date: Sat, 14 Dec 2019 06:30:48 +0000 (-0600)
Subject: Change default session.secure to False so PGWUI works out-of-the-box
X-Git-Url: https://papio.biology.duke.edu/gitweb/?a=commitdiff_plain;h=a26d2be92cdbfbdd4bcaf350eae3c07b3ca9686e;p=pgwui_server

Change default session.secure to False so PGWUI works out-of-the-box
---

diff --git a/README.rst b/README.rst
index f98aa5b..2d5cfa7 100644
--- a/README.rst
+++ b/README.rst
@@ -196,6 +196,9 @@ Configuration
 Configuration is done in the ``[app:main]`` section of an ``.ini``
 configuration file.
 
+Those using HTTPS can improve security by changing the session.secure
+configuration setting to True.
+
 Advanced Configuration
 ^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/examples/etc/pgwui.ini b/examples/etc/pgwui.ini
index 28ee039..0aeb2e8 100644
--- a/examples/etc/pgwui.ini
+++ b/examples/etc/pgwui.ini
@@ -111,7 +111,10 @@ session.key = pgwui_server
 # HMAC secret
 #session.secret = xxxxxxrandomstring40characterslongxxxxxx
 # Send cookie only over https
-session.secure = True
+# WARNING: To use HTTP, not HTTPS, session.secure must be False!
+# CAUTION: If you are forcing the browser to use HTTPS you want
+#          session.secure to be True.
+session.secure = False
 # Sessions timeout after an hour if unused.
 session.timeout = 3600
 # Pyramid sends cookies for exception pages
diff --git a/examples/misc/development.ini b/examples/misc/development.ini
index 057c3e4..b3d8dd2 100644
--- a/examples/misc/development.ini
+++ b/examples/misc/development.ini
@@ -125,6 +125,9 @@ session.key = pgwui_server
 #session.secret = xxxxxxrandomstring40characterslongxxxxxx
 # Send cookie only over https
 # (True for production)
+# WARNING: To use HTTP, not HTTPS, session.secure must be False!
+# CAUTION: If you are forcing the browser to use HTTPS you want
+#          session.secure to be True.
 session.secure = False
 # Sessions timeout after an hour if unused.
 session.timeout = 3600