Opened 14 years ago

Closed 14 years ago

#13548 closed (duplicate)

'max_age' without 'expires' pitfall: IE doesn't support cookie's max-age

Reported by: master Owned by: nobody
Component: HTTP handling Version: dev
Severity: Keywords: cookie, IE, csrf
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

If you want to set the lifetime of a cookie with HttpResponse.set_cookie(... max_age = something ...) without specifying expires= also, it doesn't work with IE (tested on version 8.0.6001.18702): the cookie is only there for the browser session time.

Of course, you can always specify 'expires' whenever you specify 'max_age', likely with the same information so:

  1. It doesn't sound DRY
  2. I only want to give 'max_age', and don't want to be bother with 'expires' - in other words, do it yourself, you can
  3. It's so easy to forget this constraint (as for the CSRF cookie)

The proposed solution is for Django to set 'expires' when it is not but a 'max_age' is provided.

Attachments (1)

set_cookie.diff (1.1 KB ) - added by master 14 years ago.

Download all attachments as: .zip

Change History (4)

by master, 14 years ago

Attachment: set_cookie.diff added

comment:1 by master, 14 years ago

This patch resolves the ticket #13549 as well.

comment:2 by Russell Keith-Magee, 14 years ago

Needs tests: set
Triage Stage: UnreviewedDesign decision needed

Ah, IE. How we do love thee and thy love of standards

Setting max-age and expires (with expires automatically based on max-age) appears to be a solution that others (e.g., TurboGears) have used.

comment:3 by Chris Beaven, 14 years ago

Resolution: duplicate
Status: newclosed

Marking as a duplicate of #7770 - I'm going to fix this issue there too.

Note: See TracTickets for help on using tickets.
Back to Top