Opened 11 years ago

Closed 11 years ago

#13549 closed (duplicate)

IE doesn't support cookie's max-age, so the CSRF cookie is not kept

Reported by: master Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: csrf, cookie, IE
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


In django\middleware\, class CsrfViewMiddleware, process_response(), the set_cookie() sets a 'max_age' argument but no 'expires' argument.
IE doesn't consider the max-age attribute, so the behaviour is the same as not setting any lifetime to the cookie.

This problem can be solved by the patch proposed in ticket #13548
If that patch is not accepted, then you have to set the parameter yourself, as in the patch attached to this ticket.

Attachments (1)

csrf.diff (1.2 KB) - added by master 11 years ago.

Download all attachments as: .zip

Change History (2)

Changed 11 years ago by master

Attachment: csrf.diff added

comment:1 Changed 11 years ago by Russell Keith-Magee

Resolution: duplicate
Status: newclosed

I'm going to close this as a dupe of #13548 -- This isn't something that should be fixed piecemeal; it should be fixed once so all cookies work as expected (well... the real fix is for IE to actually pay attention to published standards, but thats wishful thinking).

On a practical note, this specific incarnation of the bug shouldn't have too much of an impact - CSRF tokens shouldn't have any reason to persist beyond a browser session anyway, since they should generally be very short lived.

Note: See TracTickets for help on using tickets.
Back to Top