Opened 4 years ago

Closed 4 years ago

#13548 closed (duplicate)

'max_age' without 'expires' pitfall: IE doesn't support cookie's max-age

Reported by: master Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: cookie, IE, csrf
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: UI/UX:


If you want to set the lifetime of a cookie with HttpResponse.set_cookie(... max_age = something ...) without specifying expires= also, it doesn't work with IE (tested on version 8.0.6001.18702): the cookie is only there for the browser session time.

Of course, you can always specify 'expires' whenever you specify 'max_age', likely with the same information so:

  1. It doesn't sound DRY
  2. I only want to give 'max_age', and don't want to be bother with 'expires' - in other words, do it yourself, you can
  3. It's so easy to forget this constraint (as for the CSRF cookie)

The proposed solution is for Django to set 'expires' when it is not but a 'max_age' is provided.

Attachments (1)

set_cookie.diff (1.1 KB) - added by master 4 years ago.

Download all attachments as: .zip

Change History (4)

Changed 4 years ago by master

comment:1 Changed 4 years ago by master

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

This patch resolves the ticket #13549 as well.

comment:2 Changed 4 years ago by russellm

  • Needs tests set
  • Triage Stage changed from Unreviewed to Design decision needed

Ah, IE. How we do love thee and thy love of standards

Setting max-age and expires (with expires automatically based on max-age) appears to be a solution that others (e.g., TurboGears) have used.

comment:3 Changed 4 years ago by SmileyChris

  • Resolution set to duplicate
  • Status changed from new to closed

Marking as a duplicate of #7770 - I'm going to fix this issue there too.

Add Comment

Modify Ticket

Change Properties
<Author field>
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.