Opened 6 years ago

Closed 6 years ago

#13548 closed (duplicate)

'max_age' without 'expires' pitfall: IE doesn't support cookie's max-age

Reported by: master Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: cookie, IE, csrf
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: UI/UX:


If you want to set the lifetime of a cookie with HttpResponse.set_cookie(... max_age = something ...) without specifying expires= also, it doesn't work with IE (tested on version 8.0.6001.18702): the cookie is only there for the browser session time.

Of course, you can always specify 'expires' whenever you specify 'max_age', likely with the same information so:

  1. It doesn't sound DRY
  2. I only want to give 'max_age', and don't want to be bother with 'expires' - in other words, do it yourself, you can
  3. It's so easy to forget this constraint (as for the CSRF cookie)

The proposed solution is for Django to set 'expires' when it is not but a 'max_age' is provided.

Attachments (1)

set_cookie.diff (1.1 KB) - added by master 6 years ago.

Download all attachments as: .zip

Change History (4)

Changed 6 years ago by master

comment:1 Changed 6 years ago by master

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

This patch resolves the ticket #13549 as well.

comment:2 Changed 6 years ago by russellm

  • Needs tests set
  • Triage Stage changed from Unreviewed to Design decision needed

Ah, IE. How we do love thee and thy love of standards

Setting max-age and expires (with expires automatically based on max-age) appears to be a solution that others (e.g., TurboGears) have used.

comment:3 Changed 6 years ago by SmileyChris

  • Resolution set to duplicate
  • Status changed from new to closed

Marking as a duplicate of #7770 - I'm going to fix this issue there too.

Note: See TracTickets for help on using tickets.
Back to Top