Code

Opened 4 years ago

Closed 4 years ago

#13549 closed (duplicate)

IE doesn't support cookie's max-age, so the CSRF cookie is not kept

Reported by: master Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: csrf, cookie, IE
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

In django\middleware\csrf.py, class CsrfViewMiddleware, process_response(), the set_cookie() sets a 'max_age' argument but no 'expires' argument.
IE doesn't consider the max-age attribute, so the behaviour is the same as not setting any lifetime to the cookie.

This problem can be solved by the patch proposed in ticket #13548
If that patch is not accepted, then you have to set the parameter yourself, as in the patch attached to this ticket.

Attachments (1)

csrf.diff (1.2 KB) - added by master 4 years ago.

Download all attachments as: .zip

Change History (2)

Changed 4 years ago by master

comment:1 Changed 4 years ago by russellm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

I'm going to close this as a dupe of #13548 -- This isn't something that should be fixed piecemeal; it should be fixed once so all cookies work as expected (well... the real fix is for IE to actually pay attention to published standards, but thats wishful thinking).

On a practical note, this specific incarnation of the bug shouldn't have too much of an impact - CSRF tokens shouldn't have any reason to persist beyond a browser session anyway, since they should generally be very short lived.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.