'max_age' without 'expires' pitfall: IE doesn't support cookie's max-age
|Reported by:||master||Owned by:||nobody|
|Severity:||Keywords:||cookie, IE, csrf|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
If you want to set the lifetime of a cookie with HttpResponse.set_cookie(... max_age = something ...) without specifying expires= also, it doesn't work with IE (tested on version 8.0.6001.18702): the cookie is only there for the browser session time.
Of course, you can always specify 'expires' whenever you specify 'max_age', likely with the same information so:
- It doesn't sound DRY
- I only want to give 'max_age', and don't want to be bother with 'expires' - in other words, do it yourself, you can
- It's so easy to forget this constraint (as for the CSRF cookie)
The proposed solution is for Django to set 'expires' when it is not but a 'max_age' is provided.