Opened 14 years ago
Closed 14 years ago
#13548 closed (duplicate)
'max_age' without 'expires' pitfall: IE doesn't support cookie's max-age
| Reported by: | master | Owned by: | nobody |
|---|---|---|---|
| Component: | HTTP handling | Version: | dev |
| Severity: | Keywords: | cookie, IE, csrf | |
| Cc: | Triage Stage: | Design decision needed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
If you want to set the lifetime of a cookie with HttpResponse.set_cookie(... max_age = something ...) without specifying expires= also, it doesn't work with IE (tested on version 8.0.6001.18702): the cookie is only there for the browser session time.
Of course, you can always specify 'expires' whenever you specify 'max_age', likely with the same information so:
- It doesn't sound DRY
- I only want to give 'max_age', and don't want to be bother with 'expires' - in other words, do it yourself, you can
- It's so easy to forget this constraint (as for the CSRF cookie)
The proposed solution is for Django to set 'expires' when it is not but a 'max_age' is provided.
Attachments (1)
Change History (4)
by , 14 years ago
| Attachment: | set_cookie.diff added |
|---|
comment:1 by , 14 years ago
comment:2 by , 14 years ago
| Needs tests: | set |
|---|---|
| Triage Stage: | Unreviewed → Design decision needed |
Ah, IE. How we do love thee and thy love of standards
Setting max-age and expires (with expires automatically based on max-age) appears to be a solution that others (e.g., TurboGears) have used.
comment:3 by , 14 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Marking as a duplicate of #7770 - I'm going to fix this issue there too.
This patch resolves the ticket #13549 as well.