Opened 12 years ago

Closed 11 years ago

#13548 closed (duplicate)

'max_age' without 'expires' pitfall: IE doesn't support cookie's max-age

Reported by: master Owned by: nobody
Component: HTTP handling Version: dev
Severity: Keywords: cookie, IE, csrf
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no


If you want to set the lifetime of a cookie with HttpResponse.set_cookie(... max_age = something ...) without specifying expires= also, it doesn't work with IE (tested on version 8.0.6001.18702): the cookie is only there for the browser session time.

Of course, you can always specify 'expires' whenever you specify 'max_age', likely with the same information so:

  1. It doesn't sound DRY
  2. I only want to give 'max_age', and don't want to be bother with 'expires' - in other words, do it yourself, you can
  3. It's so easy to forget this constraint (as for the CSRF cookie)

The proposed solution is for Django to set 'expires' when it is not but a 'max_age' is provided.

Attachments (1)

set_cookie.diff (1.1 KB) - added by master 12 years ago.

Download all attachments as: .zip

Change History (4)

Changed 12 years ago by master

Attachment: set_cookie.diff added

comment:1 Changed 12 years ago by master

This patch resolves the ticket #13549 as well.

comment:2 Changed 12 years ago by Russell Keith-Magee

Needs tests: set
Triage Stage: UnreviewedDesign decision needed

Ah, IE. How we do love thee and thy love of standards

Setting max-age and expires (with expires automatically based on max-age) appears to be a solution that others (e.g., TurboGears) have used.

comment:3 Changed 11 years ago by Chris Beaven

Resolution: duplicate
Status: newclosed

Marking as a duplicate of #7770 - I'm going to fix this issue there too.

Note: See TracTickets for help on using tickets.
Back to Top